9 Replies Latest reply on Mar 16, 2017 5:04 AM by rizwankhan

    Applying DLP agent policiies without EPO!

      I am deploying DLP agents 2.2.200.11 using EPO 4p4 and everything is going well. The problem I have is I need to deploy DLP to remote machines that are not on a network and hence can not connect to the EPO server.

      If I run the DLP agent MSI it installs but how do I import/use the policy I've created? Is this possible? I've exported the policies to opg file from EPO.

      Many thanks in advance,
      Mark
        • 1. DPL policy injection
          Hi

          These are the steps to perform policy injection:

          (a) Set the agent to a policy injection mode:
          1. Install the DLP Agent and do NOT perform reboot after installation.
          2. Open the following registry key on your agent machine:
          ---- HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DLP\Agent
          3. Add the following 2 properties to the registry key:
          ---- PolicyInjectionRefreshIntervalInSec = 00000003 (this value is type DWORD)
          ---- PolicyInjectionFolder = c:\Temp\PoIicy (this value is a string and can be any valid path on your machine.)
          4. restart the agent machine.

          (b) inject the policy
          1. Prepare your policy: in the Management Console create the policy and save it to disk. You will get the following 3 files:
          ---- GlobalPolicy.opg
          ---- GlobalPolicy.opgc
          ---- GlobalPolicy.opgg

          2. Copy these 3 files into the c:\Temp\PoIicy on the agent machine (no need to restart again, the agent-service will
          see that the files are there and will take them).


          Good luck

          Alex
          • 2. RE: DPL policy injection
            Works a treat,
            Thanks Alex
            • 3. Re: DPL policy injection
              SCtbe

              Hi,

               

              I found this useful after applying wrong policy which effectively blocked almost all machine interfaces, including network cards.

              Policy injection however do not work if DLP agent is already activated, so you have to do some additional steps.

              These are:

              1. Boot system in safe mode.

              2. Kill fcags.exe process (sometimes two times or more).

              3. Manually delete DLP folder.

              4. Perform steps from policy injection procedure.

              5. Restart machine in normal mode.

              6. Install DLP agent manually from installation package.

              7. Reboot machine and wait for application of injected polices.

               

              I hope someone will find this useful.

              • 4. Re: DPL policy injection

                I've moved this thread to our Host DLP product area. Please let me know if it belongs in Network DLP.

                • 5. Re: Applying DLP agent policiies without EPO!
                  lantuin

                  Hello,

                  can I apply this solution in a DLP 9.3 environment?

                   

                  Thanks and best regards.

                  • 6. Re: Applying DLP agent policiies without EPO!
                    mrp

                    no body to way this way for dlp 9.3

                    • 7. Re: Applying DLP agent policiies without EPO!
                      mrp

                      this way to install dlp  without epo

                       

                      (a) Set the agent to a policy injection mode:

                      1. Install the DLP Agent and do NOT perform reboot after installation.

                      2. Open the following registry key on your agent machine:

                       

                      ---- HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DLP\Agent

                      3. Add the following 2 properties to the registry key:

                      ---- PolicyInjectionRefreshIntervalInSec = 00000003 (this value is type DWORD)

                      ---- PolicyInjectionFolder = c:\Temp\PoIicy (this value is a string and can be any valid path on your machine.)

                      in dlp 9.3 HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DLP\Agent\PolicyInjection

                      4. restart the agent machine.

                       

                       

                      (b) inject the policy

                      1. Prepare your policy: in the Management Console create the policy and save it to disk. You will get the following 3 files:

                      ---- GlobalPolicy.opg

                      ---- GlobalPolicy.opgc

                      ---- GlobalPolicy.opgg

                       

                      2. Copy these 3 files into the c:\Temp\PoIicy on the agent machine (no need to restart again, the agent-service will

                      see that the files are there and will take them).

                      • 8. Re: Applying DLP agent policiies without EPO!
                        razi_hasan

                        Hi

                         

                        These are the steps to perform policy injection:

                         

                        (a) Set the agent to a policy injection mode:

                        1. Install the DLP Agent and do NOT perform reboot after installation.

                        2. Open the following registry key on your agent machine:

                        ---- HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DLP\Agent

                        3. Add the following 2 properties to the registry key:

                        ---- PolicyInjectionRefreshIntervalInSec = 00000003 (this value is type DWORD)

                        ---- PolicyInjectionFolder = c:\Temp\PoIicy (this value is a string and can be any valid path on your machine.)

                        4. restart the agent machine.

                         

                        (b) inject the policy

                        1. Prepare your policy: in the Management Console create the policy and save it to disk. You will get the following 3 files:

                        ---- GlobalPolicy.opg

                        ---- GlobalPolicy.opgc

                        ---- GlobalPolicy.opgg

                         

                        2. Copy these 3 files into the c:\Temp\PoIicy on the agent machine (no need to restart again, the agent-service will

                        see that the files are there and will take them).

                         

                         

                        Good luck

                        • 9. Re: Applying DLP agent policiies without EPO!
                          rizwankhan

                          hello razi hasan

                           

                          can u tell me how to do export following extension files from ePO because i had tried but still not able to export these file.

                               GlobalPolicy.opg

                          ---- GlobalPolicy.opgc

                          ---- GlobalPolicy.opgg