9 Replies Latest reply on Dec 10, 2009 8:08 AM by SafeBoot

    Safeboot Deployment using Altiris



      We are planning to deploy safeboot encryption on laptops using Symantec Altiris solution, would like to here experiences if anybody has deployed encryption using Alitiris in your environment.


      • How easy or difficult is it?
      • Do i need to create individual install packages for each system or is it ok if i create a generic package and then rename it to the asset id before deployment using Alitiris?
      • In this case how can i assign users to each package i.e. is it advisable to create users manually or use the AD connector. I am currently not using the AD connector and creating users manually.




        • 1. Re: Safeboot Deployment using Altiris

          We have deployed Safeboot using altiris to over 2000 machines.  It has worked very well.  We use a generic package.  As far as creating users, we are using the AD connector with a modified filter on domain users.  Hope this helps.

          • 2. Re: Safeboot Deployment using Altiris

            Altiris is probably the most commonly used deployment tool that I see in the field. I *strongly* recommend that you engage our professional services team. The nature of your question raises several red flags about understanding basic product functionality.


            - You should make a single exe from the safeboot console. Make this install set from a machine group, not an individual machine.

            - When Altiris runs this package, the machine will automatically register its unique name in the safeboot console.

            - This new machine object in the console will adopt the properties of whichever group it is created in (i.e. the group from which the installer was built)

            - One of the properties it inherits from the group is the users. If you are a small organization (500 or less), then just assign all users at the group level and then all those users will work as pre-boot accounts on your systems. If you are a large organization, you will need to devise a strategy for user provisioning. For example, you could leverage our API to automatically assign users to machines on install. Or if you use v6, then this code is native and you don't need any scripts.

            - You users can be pulled from AD, or you can create them manually, or you could have the API / script automate the manual creation.


            So you have many possible strategies for your deployment, but if you don't get training or professional services ... you may not choose the best strategy.

            • 3. Re: Safeboot Deployment using Altiris

              Hi DLarson,


              Thanks for your response.


              Can you let me know what API are you referring to for automatically assinging the users to machines on install.


              I have already populated the users from the AD using the AD connector.




              • 4. Re: Safeboot Deployment using Altiris

                In the nutshell it is AutoDomain VB script (comes as compiled) with SafeBoot/EEPC API calls (same as used for sbadmcl scripting).

                • 5. Re: Safeboot Deployment using Altiris

                  To answer specifically, the SetUser command is used to assign a username to a machine. How you gather the user name and machine name is up to you, but you need both in order for the command to work. You should start by reading the SBADMCL Scripting Guide PDF that came with your install files.

                  • 6. Re: Safeboot Deployment using Altiris

                    Thanks for your response guys

                    Mcafee has released EEPC V6 which can be fully integrated with epo 4.5 so we have decided to test this out and roll out EEPC using EPO.


                    Thanks for all your help.




                    • 7. Re: Safeboot Deployment using Altiris

                      Be sure to use the "add local domain users" option in the v6 policy. This will enable our code to find the Windows users assigned to a machine and then make them valid pre-boot authentication accounts. This is a great feature because it eliminiates the need for complex scripting that we had in v5!


                      Also, consider using this Quickstart Guide when you begin your POC of EEPC v6.

                      http://community.mcafee.com/blogs/danlarson/2009/11/30/unofficial-quickstart-gui de-for-mcafee-eepc-v6

                      • 8. Re: Safeboot Deployment using Altiris



                        Thanks for your inputs will keep in mind for the EEPC v6 rollout.


                        One more question does EEPC v6 has the same feature like earlier EEPC versions where in i can add admin users to a particular system so in case the users token is invalidate we can atleast login with the admin account.






                        • 9. Re: Safeboot Deployment using Altiris

                          with 6, you can add any AD user, or group of AD users etc, much the same as v5. 6 at the moment though has no capacity to create or use users from outside of AD.