1 2 3 Previous Next 20 Replies Latest reply on May 4, 2010 4:32 PM by SCtbe Go to original post
      • 10. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

        Policy enforcement?

         

        EEv6-Enforcement.png

         

        Also, make sure that you can add EE as single user from AD. No need to have EE pre-boot:

         

        EEv6-LDAP-Users.png

        • 11. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

          peter makes a good point - though you don't need pre-boot authentication for the crypto to activate, it will NOT activate without any user accounts assigned.

           

          remember, autoboot mode (no authentication) does not offer any protection from data disclosure regulations, and really defeats the point of encrypting the drive in the first place.

           

          Again, no users assigned means EEPC will not activate.

          • 12. Re: EEPC v6.0.1: Endpoint Encryption is Inactive
            babatola

            Thanks peter. I have gone through the guide over and over and the issue has not changed.

             

            However i would review the settings again to ascertain that policies are enforced. thanks for the screen shots.

             

            I assigned user manually, but i would undergo the entire process again.

             

            Safeboot: I do not feel too comfortable with pre-boot authentication and that is why we have disabled preboot authentication. We have been posed with several challenges like hardware support/driver for certain mouse and keyboard......so we are trying to bypass all that to reduce the operating issues. We understand the implications of not enabling this feature, however we would avoid a "necessary evil" at this stage....hahahahha

             

            Also, another important factor for not enabling preboot authentication is SSO. It is not so straightforward as the guide claims and this would cause unnecessary downtime for users.

             

            We dont wanna end up creating a 9a.m DOS attack and support engineers running helter skelter

             

            Features like: (1) ability to pause the encryption, when encrypting a drive (2) command line uninstall command for the product

            • 13. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

              why would you want to pause the encryption? I assume you mean the initial encryption of the drive, not in general?

              • 14. Re: EEPC v6.0.1: Endpoint Encryption is Inactive
                babatola

                Having a re-think on the "pause" feature, it really might not be necessary but you would agree with me that a command line uninstall command should be in place. As it I can only remove eepc via epo or during a a recovery!!!!! aaaarghh.

                • 15. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

                  I'm not sure any crypto product has a command line uninstall feature - it makes it too easy for end users to remove it. One of the fundimental points of centrally managed product is that they are centrally managed, and encryption is a little different, in the sense that it's easy to remove the product, but hard to remove the crypto ;-)

                   

                  if we allowed people a simple uninstall method, they would end up with non-booting machines - we'd have to allow for command line decryption and uninstall, which opens things up to end users disabling products without administrators knowing.

                   

                  If you are an engineer, you can remove the encryption without needing EPO using EETech (the disaster recovery toolkit)? Is that what you are looking for?

                  • 16. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

                    I think it is intentional for EEPC to be very difficult to remove. Even by person with local admin rights.

                    Treat ePO as a specialised security toolbox for your PC. No more self-repairs.

                    • 17. Re: EEPC v6.0.1: Endpoint Encryption is Inactive
                      babatola

                      You both got a point....but i am always SCARED of that unlucky day where your epo is down and you critically need to get the eepc off......the whole EETech procedure is more or less tedious and it relies on the ePO anyway( you would always have to generate a key)


                      The uninstall procedure would not be available to users....strictly technical.


                      I believe engineers needs a safe haven( more like a backdoor process, hahahhahah)


                      Thanks guys, really appreciate....point noted! stick with ePO and EEtech.


                      However I would be uploading the log file for safeboot later on, and peter I would be reviewing the entire process again.

                      • 18. Re: EEPC v6.0.1: Endpoint Encryption is Inactive
                        babatola

                        Safeboot, EEPC and others,


                        Here is a sample of the log file you requested for. i was able to lay my hands on one, finally.....this a log file of one of the client system.(Windows XP)

                        • 19. Re: EEPC v6.0.1: Endpoint Encryption is Inactive

                          I could not find a record of you assigning a policy or any users to the machine? Maybe you can start by checking those two.

                           

                          2010-4-29 16:30:58,117 DEBUG MfeEpeHost
                          From uuid = 5145540F-1BA8-4F52-895D-617839C2869E
                          From Service = MfeEpeEncryptionService
                          To uuid = 61FC150F-2C47-4100-9B9B-146EC568E74E
                          To Service = MfeEpeEncryptionInformationServiceClient Message =
                          <element xsi:type="ns1:ESGetSystemInfoRsp">
                                <sendTo serviceName="MfeEpeEncryptionInformationServiceClient" serviceUUID="61FC150F-2C47-4100-9B9B-146EC568E74E" xsi:type="ns1:MfeEpeAddress">
                                </sendTo>
                                <from serviceName="MfeEpeEncryptionService" serviceUUID="5145540F-1BA8-4F52-895D-617839C2869E" xsi:type="ns1:MfeEpeAddress">
                                </from>
                                <system xsi:type="ns1:ESSystem">
                                      <uuid>
                                      </uuid>
                                      <fqdn>
                                      </fqdn>
                                      <ipAddress>
                                      </ipAddress>
                                      <policyIdent>
                                      </policyIdent>
                                      <encryptionProvider>
                                      </encryptionProvider>
                                      <progressPercentage>
                                            0
                                      </progressPercentage>
                                      <state>
                                            Inactive
                                      </state>
                                      <themeLocation>
                                      </themeLocation>
                                </system>
                          </element>