I have helped a few customers do this. Here are the main points:
1. You must disable CD/DVD encryption, this type of encryption does not use the same key management architecture as EERM (i.e. it specifically requires a username). So if you turn this on, that bit of the code will pop up a login box.
2. In the general tab of the EEFF policy, you want to disable all the settings under the "System" subheading (especially the "disable forcing of logon at first boot").
3. In the EEFF, removable media policy tab make sure you disable the recovery option "Use Recovery Key". This option only works if you have user accounts created and deployed; it uses the user key to unlock the completely seperate key that EERM uses. If you have no user, then this whole process won't work ... but the other recovery options will.
In point 2 where you say "disable all the settings under the "System" subheading", do you mean untick all of the boxes or do you mean untick the other two but tick "disable forcing of logon at first boot"?
Sorry about that. Disabling that feature means leaving it checked. So uncheck the other two, but keep the "disable forcing of logon at first boot" checked.
Brilliant thanks, as my customer only requires the EERM functionality at present this solution just made my life a lot easier, I just hope they don't decide to use more features any time soon!
One final question, if they only require EERM do they have to purchase McAfee Endpoint Encryption for Files and Folders or can they buy a cut down version of the product?
I've been thinking, will policy updates made in the Endpoint Encryption still be picked up by the clients as no users are logging in, or will it be necessary to remove and reinstall the client for any changes to take effect?
In the current release, every sync to the server will require the user to authenticate. Thus, all policy changes will require the user to authenticate. If no user is assigned, then authentiction and therefore updates are not possible. Essentially, policies are static if you don't assign users. If you are in this situation, it is best to uninstall/re-install. However, an over-install may work (i.e. just run the new installer without uninstalling the old one). I haven't tested that, but it is worth a shot.
Note: this authentication requirements goes away in the next major release of EEFF. I believe that is coming out in the first half of 2010. Get with your sales rep or SE for more info on that.
I have been testing these options for some time now and I have a question about the engineering of Files and Folders.
I have deployed Files and Folders with these following options:
Attempt logon with Endpoint Encryption for PC credentials
Allow creation of Self-Extractor
Use McAfee Endpoint Encryption for Removable Media (EERM)
Enforce Encryption on CD/DVD write operations
With these options I choose the options on the Files and Folders encryption key:
Allow key to be cahed locally
cache after 365 days
It seems that I have "tricked" the engineering intent of the product for a couple days. I am never prompted for Files and Folders Authentication after EEPC and EEFF initial installation. Files and Folders does not prompt me for authentication on or off the network. I enabled logging for Files and Folders and found out that the default Files and Folders policy is always loaded and it grabs the cached key for CD/DVD encryption. It seems (initially) that once you autheticate to the MEE Server for policy and key that it will look for default policy and cached key regardless of what MEE user authenticates through PBA.
This works well for a few days but it reverts back to prompting for MEE credentials again, It looks like authentication/synchronization points back to to the MEE Server after a while.
Is there a way to force Files and Folders to always point to default local policy and cached key? It will be acceptable to apply a new policy via new installation sets.
it always does look locally for policy, but I guess you are logging on with a new user and the system has not yet got a policy for them.
it doesn't download the list of policies for all users, only the one currently being used, thus, each person who uses the machine needs to get the policy at least once live from the server.
I can confirm that an EEFF installation over an existing EEFF installation does not update the policies. [I wasted much time trying to figure out why the new install set didn't appear to include the latest policy changes.] In an EERM-only, no users configuration, the most significant impact of this would seem to be the device list to be exempted from encryption.
A separate question -- we are using EEPC with autoboot. I've tried checking the Attempt logn with Endpoint Encryption for PC credentials option and assigning the EERM policy to the autoboot ID but I still get a login prompt when doing an EEFF sync. Should this work? Am I missing something?