2 Replies Latest reply on Sep 14, 2017 2:14 PM by Moe Hassan

    Ensuring ePO deploys to all PCs/Laptops

    k.howard

      Good morning,

      We have ran ePO for several years but the original server was set up with mostly default options and wasn't maintained. Due to colleagues leaving the organisation I have adopted ePO and the management of it. Earlier this year we deployed a new server with the latest version of ePO and started to migrate clients over to this ePO server. The previous server is still in place and is still managing some clients. Ideally I want to get everything moved over to the new server so we can decommission the old one.

      I'm looking for some advice to ensure the new server is capturing existing and new clients and installing the agent as well as ENS.

      We currently have a server task configured which searches for any unmanaged systems with the 'DT' and 'LT' tag (desktop and laptop) and attempts to deploy the agent. We also have a continous deployment setup in the product deployment section which attempts to push Endpoint Security Threat Prevention, Endpoint Security Firewall & Endpoint Security Platform to anything with the DT and LT tag.

      Is this the best way to go about it?

       

      The only thing I'm then worried about is new systems. We have AD Sync on but I'm not sure if anything is being automatically tagged with 'DT' or 'LT' (or if this is even possible?)

       

      Any help/advice or tips and tricks would be much appreciated, as I'm still finding my way round the product!

       

      Thanks in advance.

       

      Katrina

        • 1. Re: Ensuring ePO deploys to all PCs/Laptops
          martinph

          This sounds like a case for Rogue System Detection.

           

          If you schedule an hourly check for new rogues and deploy mcafee agent as a response to that task you should be ok.

           

          Then schedule an hourly task to deploy your chosen av software and you should be set, no machine will be able to be on your network for more than 2 hours at most before it has av on it.

          • 2. Re: Ensuring ePO deploys to all PCs/Laptops
            Moe Hassan

            k.howard, Welcome to McAfee community.

             

            This is a common scenario. First thing you should do is "register" each server on the other one. You will have to export/import keys. What this will allow is to "transfer" your - systems, policies, tasks, tags etc from OLD server to the new one with click of a button. Once you've transferred all systems, keep the old server up for some time to see whether some agents are still connected to it.

             

            Existing clients can be "transferred" to new ePO after registering as mentioned above. OR you can install McAfee agent on these systems which will then communicate with new EPO.

            New clients - Setup RSD as mentioned by martinph above. Highly active servers such as DNS, DHCP, DCs are good candidates. As always, test for any adverse performance impact. You can create custom "Query" based server tasks that will target "unamanged" systems and will try to deploy agents on them. I'm assuming your systems are domain joined, which will make the deployment process easy. In addition, you can provide your technicians the McAfee agent package to be baked on their system image. This way when machines are given to users, they will already have McAfee agent (and other packages such as ENS).

             

            You can most certainly apply tags automatically. It depends on few things. For example, if your laptops and desktops are in different containers in AD, within McAfee ePO, you can configure your systems folder to apply those tags. If your systems have certain naming conventions (ie - name begins with "DT" or "LT" prefix) you can apply tags as needed.