Hi, I am looking to implement FRP for Removable Media devices and I am looking at the options for recovery. I noticed that using certificates seems okay however anyone using the same certificate can essentially reset someone's password which is brutal. Can I suggest McAfee combine in some sort of random character generator for ePO administrators to use along with the policy certificate so the user has to contact IT or ePO Admin to get this random generated passcode along with having to be part of the policy in order to reset their password. Just a sort of 2-factor authentication.
I would like to have a recovery option in case someone forgets their password on their USB drive but not at the expense of having it wide open to the whole organization.
Anyone have any thoughts on what they are doing to secure their USB drives yet allow IT or someone the ability to recover the data if user forgets password ?
You could look at using User Personal Keys (UPKs) for recovery. UPKs can be referenced generically as part of policies but create unique keys for assigned users. This means that only users who initialized the device can recover the device. Recovery is also a seamless process (everything happens behind the scenes), user just clicks on Forgotten Password on any FRP machine, and can reset the authentication credentials. This article is a little dated but provides useful information: https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/19/how-to-use-endpoint-encr...