7 Replies Latest reply on May 28, 2009 9:16 AM by +++Phill+++

    Port Control

      We are testing using Port control, by allowing certain usb pen drives and blocking others. I know you can only really block a certain type of pen drive, e.g. SANDISK 1GB 6.22 but i you can't lock it down to the serial number or full device ID.

      Is there anyway around this? So that you can restrict to serial numbers or full device ID? I tried to modify the xml files that you can import but didn't work.
        • 1. RE: Port Control
          challiwag
          For this level of restriction, you would have to use McAfee's Device control, which is part of the DLP suite, I beleive that McAfee are planning to not put more work into port control and instead concentrate on Device control, as it already has more functionality.
          • 2. RE: Port Control
            all true - Port Control was designed to be simple and have only the most essential functionality - so you can block device types and names, but not block one device, but allow another identical device to work.

            Device Control (a subset of the McAfee Host DLP product) has all the detailed features, but is thus a little more complex to implement. DLP is where we'll be spending our effort in the future though.
            • 3. Port Control OUT - DLP in


              Right, so we have set up a test environment, installed ePO 4.0, deployed Endpoint Encryption for Files and Folders as well as Endpoint Encryption for PC, but there is no sign of a package to install and /or manage Port Control.

              Fine, I hear you say - because DLP will handle this - BUT how do you remove the Port Control client from (in our case over 1000 in the operational environment) client PCs WITHOUT the need for them all to be visited, just because the uninstall argument is the ONLY argument in the installation exe.

              How then, to remove Port Control AUTOMATICALLY - using ePO? Is this even possible?
              • 4. RE: Port Control OUT - DLP in
                I don't think it is possible to remove non-connected products from EPO. SafeBoot Port Control can only be managed through the old SafeBoot Management Center, or new Endpoint Encryption Management Center. It has no EPO component (and never will).

                As you say, to uninstall it you just have to run the install set with the special command (or use add/remove programs).

                how did you install Port Control in the first place? Did you visit each machine?
                • 5. Can Port Control Removal be automated
                  Ok - here is what we did:

                  1000 plus laptops through the doors, over the course of 5 months had the following installed: SafeBoot Device Encryption, SafeBoot Port Control, and SafeBoot Content Encrytpion.

                  We ran the installation sets for EACH, allowing the encryption to finish before putting port control, rebooting then installing CE. Note that the install sets changed with the safeboot magament console versions from 5500 to current 5700, and the resulting installation LOCATION therefore changing from c:\program files\safeboot... to c:\program files\ McAfee

                  So, straight away we have an issue with removal of Port Control and CE/EEFF by scripts - not to mention the required (and seemingly pointless) user input agreeing that you are removing the product when you run the sbpcsetup.exe with -uninstall (i.e. you have to click "yes" to the question if you want to proceed)

                  I am sitting here trying to work out the best way to remove the products with minimal (if possible - NO) user interaction. EPO apparently promised this in a document we (connecting for health) received stating there was a "Port Control Removal Agent" with which we might remove port control in anticipation of rolling out Device Encryption.

                  Any thoughts?
                  • 6. RE: Can Port Control Removal be automated
                    if you've got a document stating there would be an agent, I would simply contact whoever sent you that document and ask for it?

                    As for asking you for confirmation - all products I've ever used ask you to confirm uninstall? Remember, sbpcsetup -uninstall is just the command line way of doing remove from add/remove programs.

                    As for the path - you could have chosen a different path when you created the install set, you did not have to use our default, and, it's hardly difficult to script looking in two locations for sbpcsetup.exe and running it - that's trivial indeed. It's even trivial to click the yes button with a script (just use wshshell.sendkeys), so it would seem pretty easy on the surface to automate the uninstall?

                    as I said at the beginning though, if you have a doc stating there is a removal tool, I would just get hold of that.
                    • 7. RE: Can Port Control Removal be automated
                      Thanks again - I have been trying to get the referenced agent, having made several calls to Playno, and also logging the service request with McAfee support (if you are interested, you can see it under 3-663886845 - this is a current call log)

                      I guess we did not anticipate the product going out of life when we installed it, perhaps we did not even notice the changed path, but then as you say - it is not difficult to script that to look in 2 places.