cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Question on Automatic responses and EEPC

Jump to solution

I have recently taken over management of our ePO / EEPC (MDE or whatever it is being called today) and was hoping someone could direct me to the info I need.  I am working on setting up a response to report on any system that is no encrypted (in a decrypting or decrypted state) and am having trouble finding what to look for.  The previous admin went the route of looking for events on the server with the filter being systems out of compliance.  But that never worked (see below). 

I started tying to base one off ePO notification events but the type is Client.  I was looking at Event Description but for EEPC it seems that Decryption started would be the only option to help determine if the system was decrypting. 

If someone could point me in the right direction that would be greatly appreciated.

Non-working

Event group - ePO Notification Events

Event type - Server

Filter - Event Description - Computers are non-compliant and Affected Comp Name is not blank

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Question on Automatic responses and EEPC

Jump to solution

There's an event ID: 30046: Deactivation Event (Info) which you could setup an automatic response  to notify you as suggested by pwalski. Obviously assumes the client has connection to ePO.

If you go into Menu-configuration- server settings-  (and edit)  Event Filtering, it shows you all the event IDs'. Encryption ones start from 30000. If you've got older versions, there maybe legacy ones there.

I've got a automatic notifications for 30015, 30016 setup.

Setup a notification and deactivate a test pc to see if it works.

HTH

View solution in original post

6 Replies
Highlighted

Re: Question on Automatic responses and EEPC

Jump to solution

What version of EPO and EEPC / DEPC are you running? There are some standard dashboards (called Drive Encryption) that provide you with the top level information you're looking for.

Highlighted

Re: Question on Automatic responses and EEPC

Jump to solution

Sorry, meant to include that:

EPO - 4.6.8

EEPC - mix of 7.0.2/3 and 7.1.1

I have the dashboard up but unless there can be an alert triggered from there it would not be enough.  Also, the plan would be to have the alert go to a group of people in case I am not available to check into the system to see why it is decrypting / decrypted.

Thanks for the reply.  Mike

Highlighted

Re: Question on Automatic responses and EEPC

Jump to solution

About  the best thing I could think of is utilizing Automatic Responses. Basically creating a new response that if the event ID for a decryption takes place (if there is such a thing) then email you or the list of people you're thinking of.

This is contigent on if the decrypt process triggers a specific event ID code. I've tried searching, but can't seem to find one. I'll keep looking just in case though.

Otherwise maybe just a semi regular server task that runs a report and sends a CSV to you. Basically looking for the Drive Encyption state is decrypting.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Question on Automatic responses and EEPC

Jump to solution

There's an event ID: 30046: Deactivation Event (Info) which you could setup an automatic response  to notify you as suggested by pwalski. Obviously assumes the client has connection to ePO.

If you go into Menu-configuration- server settings-  (and edit)  Event Filtering, it shows you all the event IDs'. Encryption ones start from 30000. If you've got older versions, there maybe legacy ones there.

I've got a automatic notifications for 30015, 30016 setup.

Setup a notification and deactivate a test pc to see if it works.

HTH

View solution in original post

Highlighted

Re: Question on Automatic responses and EEPC

Jump to solution

Sorry for the slow reply, had been off for a bit.  I have just gotten back to this and setup the auto response and configured a system so it started decrypting. but unfortunately it isn't sending the email.  If I show client events (System Tree > Check system > Actions > on the system I am only seeing Event ID 30000 and 30004.  No 15/16 ID's.

The Automatic response is configured as below:

Event: Event group: ePO Notification Events
Event type: Client
Status: Enabled
Aggregation: Trigger this response for every event.
Grouping: Do not group aggregated events.
Throttling: This response is not throttled.
Actions: 1: Send Email
Highlighted

Re: Question on Automatic responses and EEPC

Jump to solution

Hmm, maybe I was a little too quick.  It eventually sent me an email.  Now to see about getting the agent info included.

Edit: Ok.  got it working now wondering if I can get one email with all systems rather than an individual email for each system.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community