9 Replies Latest reply on Apr 27, 2009 7:48 PM by SafeBoot

    Slient AutoDomain install via EPO

      I am installing McAfee Endpoint Encryption for PC with the AutoDomain script on client machines via EPO 4. I created the machine install set on the MEE database and selected to run silently. I created the EPO package and included the MEE install set. I checked in the package on the EPO database. I assigned the task to my client machine group in EPO. The EPO Wake Up Agent installs and right after Endpoint Encryption on the client machine. The AutoDomain script runs and the MEE installation finishes. The problem is when I look at the AutoDomainLog html file the cached profiles were not added to the MEE database. It appears to skip the whole process on the script without any errors. I know the MEE install set works because I have tested it on machines without being part of an EPO installation package. I went the opposite way next and created another MEE install set and selected not to run silently. I also edited the EPO pkgcatalog.xml file not to run the MEE install set silently. I check in the package on EPO and try again but I get the same results....fail.

      I read over the EPO Intergration Manual in the MEE Documentation. It informed me that unless I run the MEE install set silently the EPO package install would fail. I know this not to be true because I have tested successfully. The only thing that does not work is part of the AutoDomain script.

      I read the AutoDomain manual and looked over the vbs script and could not find any variable to edit so that this can work. Is there a setting in EPO? Can you run AutoDomain silently? If not it would be a tough situation for many organizations that use SMS, EPO, Altiris, ect.
        • 1. RE: Slient AutoDomain install via EPO
          you have to run it silently as the EPO installer does not have desktop access.

          aD will simply run on the next boot instead. Make sure you have the latest version of AD.exe, check the autodomain log file for the reason it didnt do anything.
          • 2. RE: Slient AutoDomain install via EPO
            I am using version 3.2 which I assume that this is the latest version?
            Here is the autodomain log. Like I said the process of adding cached users are skipped. There are no errors noted on the log. I have two domain users and a local account that have a cached profile on the machine.


            Autodomain output:

            5:22:52 PM: Set my options from autodomain.ini
            5:22:57 PM:
            --------------------------------------------------------------------------------
            START! Version 3.2
            5:22:57 PM: Please wait while I add everyone who has used your machine to the list of users who can login to SafeBoot.

            I'm going to add them if they seem to be members of the following domain(s) NEODEV

            This might take several minutes to complete so please be patient and please don't shut your machine down until I am finished. Once all the users are added, they will be able to login to SafeBoot with their normal SafeBoot userID and password.


            5:22:57 PM: RandomAdminUser picked user name "admin" from 1 possible accounts for this script command
            5:22:57 PM: Waiting 1 seconds before I start...
            5:22:58 PM: I tested the SafeBoot API, it's working and the version is good (5.1.7.0)
            5:22:58 PM: I'm going to use the group "Eng_Machines" if I have to create any machines.
            5:22:58 PM: Found a good connection in the DB list for database "MEEDEV"
            5:22:59 PM: SafeBoot Device Encryption is not installed
            5:23:00 PM: Created a new machine entry in the database for "XPDEV3" in group "Eng_Machines"
            5:23:00 PM: Using Machine Name:"XPDEV3" for future activity.
            5:23:00 PM: Getting the current list of users for machine "XPDEV3"
            5:23:01 PM: I will skip adding the following users for you because they are either already allocated, or on a blacklist your administrator
            has set:|Administrator|,|LocalService|,|All Users|,|Default User|,|NetworkService|,|Guest|,|systemprofile|,|emanager|,|$autoboot$|,|Admin|

            5:23:01 PM: Searching for AutoBoot users to remove..
            5:23:01 PM: As you don't have SafeBoot installed, I'm not going to bother forcing a sync of your machine.
            5:23:01 PM: Removing Registry entries so I never run again...
            5:23:01 PM: Removing ScriptRunner entries so I never run again...
            5:23:01 PM: You can close this window, or I'll close it for you in 10 seconds...
            5:23:01 PM: DONE!


            For some reason the section to query the registry and add the cached users are ignored in the script. I am guessing that this part has to be run interactively on the machine instead of silent like ePO demands?

            I ran a silent install set separately without the ePO package and the cached users were processed successfully. This problem only occurs while it is packaged and ran under a client task by ePO.

            I have never seen the autodomain script run again after first reboot automatically. Is there a setting in the script to make this happen? I thought that this could only be done manually and this will be unwanted administrative overhead to some organizations. I can see in some situations that after the initial install the user will be given back control to the machine after first reboot and work during encryption. The user may not have local administrative rights on the machine and will be not be able to execute the script. I guess it depends on the sys admin's mood to push this script through group policy.

            Autodomain is awesome to use and so is ePO. I just wish both of them could play nice. Maybe they do and I am just missing something. sad
            • 3. RE: Slient AutoDomain install via EPO
              current version is 5.10 ;-)

              I think you need to set the "processusers" var to current,cached but this version is soooo old I'm not sure if it even works ;-)

              S.
              • 4. RE: Slient AutoDomain install via EPO
                Current version 5.10? Ouch. Time for an upgrade. Where I can get my hands on this version?
                • 5. RE: Slient AutoDomain install via EPO
                  I hate to say it, but the same place you got the 3.2 version wink
                  • 6. RE: Slient AutoDomain install via EPO
                    I am reporting good news! I have obtained AutoDomain 5.10 and it runs exactly as it should on the client devices with the ePO EEPC install package. I also am fond of the UseUPNIfPossible, SecurityGroup, and ConnectorName options. I suggest that this script be an option in the database as a standard File Group in the furture.

                    Thanks Safeboot!
                    • 7. RE: Slient AutoDomain install via EPO
                      now you should get 5.14 and try the runonlogon option - it uses the Windows Active Installer technology to make the script run once per user when they logon, so, as new people use the machine (or existing old users), it will one-time capture their credentials and ensure they are correctly set up.
                      • 8. RE: Slient AutoDomain install via EPO
                        mwilke
                        I had heard from someone that this script would be built into future builds? As in, it will be a default option available for use with future builds of MEE? Is this true?

                        I have used the older versions and newer versions and they are all very easy to use just wondering if this actually ever will be built into MEE.
                        • 9. RE: Slient AutoDomain install via EPO
                          some of the functionality is planned for future versions, but until that time we're using the API to do this. Though it may seem strange to use scripting to provide such essential functionality, that's what the API was designed for - whether we use the API internally to provide it, or provide a script which uses the API makes very little difference - the advantage of the script of course is that it can be easily customised to your own requirements.