cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 2

How Can MCP Policy be Changed Dynamically Based on Network Location

Jump to solution

MCP has built in features to allow MCP to stand up or stand down based on network location. What if I want to have MCP always enabled and have different MCP redirection policies based on network location? ePO can be configured to tag systems based on network address and then apply policy based on those tags, but that would take at least one ASCI cycle to take effect and could be almost 2 full ASCI cycles and what if you aren't managing MCP Policy with ePO?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How Can MCP Policy be Changed Dynamically Based on Network Location

Jump to solution

For Windows this can be accomplished with a scheduled action that triggers a powershell script based on a network change event (10000). There are probably other configurations that will work. This may not be the best way but it does work effectively. Obviously you could use other triggers, landmarks, and tests.

Triggering the script

my script was C:\ProgramData\MCP\NetworkScript.ps1:

MCP Sched1.PNG

Interactive user account accomplished with the following command line:

schtasks /change /TN <Task_Name> /RU "NT AUTHORITY\INTERACTIVE"

Example of above

schtasks /change /TN "MCP Policy Switch" /RU "NT AUTHORITY\INTERACTIVE"

MCP Sched2.PNG

Program/Script: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -ExecutionPolicy ByPass -WindowStyle Hidden -File NetworkScript.ps1

MCP Sched3.PNG

There will likely be multiple 10000 events sleep added to script, we don't want to run script multiple times and we want the network to settle before testing connectivity.

MCP Sched4.PNG

  MCP Sched5.PNG

 

The script itself (I used Powershell) can perform various network tests and dependent on the results copy a policy (.opg) file from a fileshare (on network, or service, could even be on MWG) or a local directory on the system itself to C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg. My example uses a policy file named OffNet.opg and a file named OnNet.opg for the respective network location detections. It also should be noted that you may want to lock down the Temp directory, so that only mcafee agent or the script can overwrite MCPPolicy.opg.

This will work wonderfully if you are managing MCP Policy with UCE. You can just update your policies in UCE and the client will pull the latest at the next configured interval. I would recommend setting the refresh on the policy files distributed to be 5 minutes but the versions in UCE at 15 or 30 minutes.   

But what if you are managing policies with ePO (MVISION or on premise)? In that situation, you would want to make sure that you have the latest policy from ePO that is appropriate for the network you are on, and report the correct status in ePO. This gets a little more complicated but is still possible. One option is to just set the global policy to McAfee Default to prevent overwrite, but then any time you make a policy change you would need to redistribute the revised policies to the endpoints or a share they can always access regardless of the network location. The preferred option is to use properties and tags and McAfee Agent commands in your script when MCP Policy is managed by ePO. 

You can set a custom property (prop1 below) for mcafee agent with this command:

maconfig.exe -custom -prop1 "<string>"

Then you can set a tag based on the property (enable it to be evaluated on every communication):MCP Policy1.PNG

 

Then you can set a policy based on the tag:MCP Policy2.PNG

 

You can trigger property send to epo:

cmdagent.exe -p

You can trigger policy download from epo:

cmdagent.exe -c

You can trigger local policy enforcement:

cmdagent.exe -e

Wait for the policy to apply then send new properties to epo: 

cmdagent.exe -p

Example Powershell script:

# My policy files placed in C:\ProgramData\MCP Landmark was my ePO server at 192.168.11.137:8443

# Let Network settle there will be multiple Network eventID  10000s

Start-Sleep -s 10

$landmarkip = "192.168.11.137"

$landmarkport = 8443

$timeout = 2000

$tcpobject = [system.Net.Sockets.TcpClient]::new()
$connect = $tcpobject.BeginConnect($landmarkip,$landmarkport,$null,$null)
$wait = $connect.AsyncWaitHandle.WaitOne($timeout,$false)
$tcpobject.Close()

if ($wait) {

# Landmark reached

   Write-Host "Success"

# Apply on net policy to MCP directly from local file (could be from accessible share)

   Copy-Item "C:\ProgramData\MCP\OnNet.opg" -Destination "C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg"

# Set location for agent executables

   Set-Location -Path "C:\Program Files\McAfee\Agent"

# Set McAfee Agent property to OnNet

   .\maconfig.exe -custom -prop1 "OnNet"

} else {

# Landmark not reached

   Write-Host "Failed"

# Apply on net policy to MCP directly from local file (could be from accessible share)

   Copy-Item "C:\ProgramData\MCP\OffNet.opg" -Destination "C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg"

# Set location for agent executables

   Set-Location -Path "C:\Program Files\McAfee\Agent"

# Set McAfee Agent property to OffNet

   .\maconfig.exe -custom -prop1 "OffNet"

}

# Force McAfee Agent to communicate with ePO (optional to get and report latest MCP policy and revision based on agent property set above)

# Collect and send properties

.\cmdagent.exe -p

# Retrieve new policies (will get policy based on tag set based on custom property)

.\cmdagent.exe -c

# Enforce new policies

.\cmdagent.exe -e

# Sleep to allow time for policy to be applied

Start-Sleep -s 10

# Report new policy status back to ePO

.\cmdagent.exe -p

The above script works very nicely as long as ePO can be reached on all networks. If it cannot, I recommend commenting out the .\cmdagent.exe -e line, or moving all the commands using the agent to only execute when on networks that can reach ePO, otherwise the enforcement will be enforcing the policy that was in place when the client was last able to communicate with ePO.

If anyone knows how to get rid of the annoying Powershell command window please comment. I tried using  -WindowStyle Hidden but that did not seem to help.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

1 Reply
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How Can MCP Policy be Changed Dynamically Based on Network Location

Jump to solution

For Windows this can be accomplished with a scheduled action that triggers a powershell script based on a network change event (10000). There are probably other configurations that will work. This may not be the best way but it does work effectively. Obviously you could use other triggers, landmarks, and tests.

Triggering the script

my script was C:\ProgramData\MCP\NetworkScript.ps1:

MCP Sched1.PNG

Interactive user account accomplished with the following command line:

schtasks /change /TN <Task_Name> /RU "NT AUTHORITY\INTERACTIVE"

Example of above

schtasks /change /TN "MCP Policy Switch" /RU "NT AUTHORITY\INTERACTIVE"

MCP Sched2.PNG

Program/Script: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -ExecutionPolicy ByPass -WindowStyle Hidden -File NetworkScript.ps1

MCP Sched3.PNG

There will likely be multiple 10000 events sleep added to script, we don't want to run script multiple times and we want the network to settle before testing connectivity.

MCP Sched4.PNG

  MCP Sched5.PNG

 

The script itself (I used Powershell) can perform various network tests and dependent on the results copy a policy (.opg) file from a fileshare (on network, or service, could even be on MWG) or a local directory on the system itself to C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg. My example uses a policy file named OffNet.opg and a file named OnNet.opg for the respective network location detections. It also should be noted that you may want to lock down the Temp directory, so that only mcafee agent or the script can overwrite MCPPolicy.opg.

This will work wonderfully if you are managing MCP Policy with UCE. You can just update your policies in UCE and the client will pull the latest at the next configured interval. I would recommend setting the refresh on the policy files distributed to be 5 minutes but the versions in UCE at 15 or 30 minutes.   

But what if you are managing policies with ePO (MVISION or on premise)? In that situation, you would want to make sure that you have the latest policy from ePO that is appropriate for the network you are on, and report the correct status in ePO. This gets a little more complicated but is still possible. One option is to just set the global policy to McAfee Default to prevent overwrite, but then any time you make a policy change you would need to redistribute the revised policies to the endpoints or a share they can always access regardless of the network location. The preferred option is to use properties and tags and McAfee Agent commands in your script when MCP Policy is managed by ePO. 

You can set a custom property (prop1 below) for mcafee agent with this command:

maconfig.exe -custom -prop1 "<string>"

Then you can set a tag based on the property (enable it to be evaluated on every communication):MCP Policy1.PNG

 

Then you can set a policy based on the tag:MCP Policy2.PNG

 

You can trigger property send to epo:

cmdagent.exe -p

You can trigger policy download from epo:

cmdagent.exe -c

You can trigger local policy enforcement:

cmdagent.exe -e

Wait for the policy to apply then send new properties to epo: 

cmdagent.exe -p

Example Powershell script:

# My policy files placed in C:\ProgramData\MCP Landmark was my ePO server at 192.168.11.137:8443

# Let Network settle there will be multiple Network eventID  10000s

Start-Sleep -s 10

$landmarkip = "192.168.11.137"

$landmarkport = 8443

$timeout = 2000

$tcpobject = [system.Net.Sockets.TcpClient]::new()
$connect = $tcpobject.BeginConnect($landmarkip,$landmarkport,$null,$null)
$wait = $connect.AsyncWaitHandle.WaitOne($timeout,$false)
$tcpobject.Close()

if ($wait) {

# Landmark reached

   Write-Host "Success"

# Apply on net policy to MCP directly from local file (could be from accessible share)

   Copy-Item "C:\ProgramData\MCP\OnNet.opg" -Destination "C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg"

# Set location for agent executables

   Set-Location -Path "C:\Program Files\McAfee\Agent"

# Set McAfee Agent property to OnNet

   .\maconfig.exe -custom -prop1 "OnNet"

} else {

# Landmark not reached

   Write-Host "Failed"

# Apply on net policy to MCP directly from local file (could be from accessible share)

   Copy-Item "C:\ProgramData\MCP\OffNet.opg" -Destination "C:\ProgramData\McAfee\MCP\Policy\Temp\MCPPolicy.opg"

# Set location for agent executables

   Set-Location -Path "C:\Program Files\McAfee\Agent"

# Set McAfee Agent property to OffNet

   .\maconfig.exe -custom -prop1 "OffNet"

}

# Force McAfee Agent to communicate with ePO (optional to get and report latest MCP policy and revision based on agent property set above)

# Collect and send properties

.\cmdagent.exe -p

# Retrieve new policies (will get policy based on tag set based on custom property)

.\cmdagent.exe -c

# Enforce new policies

.\cmdagent.exe -e

# Sleep to allow time for policy to be applied

Start-Sleep -s 10

# Report new policy status back to ePO

.\cmdagent.exe -p

The above script works very nicely as long as ePO can be reached on all networks. If it cannot, I recommend commenting out the .\cmdagent.exe -e line, or moving all the commands using the agent to only execute when on networks that can reach ePO, otherwise the enforcement will be enforcing the policy that was in place when the client was last able to communicate with ePO.

If anyone knows how to get rid of the annoying Powershell command window please comment. I tried using  -WindowStyle Hidden but that did not seem to help.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community