I work for a McAfee Professional Services partner. In my travels I have seen a huge variety of staffing levels.
First, it would be helpful to define the scope of responsiblities: architecture/design, implementation, functional testing, performance testing, user support, application/server/database maintenance, policy creation, reporting, compliance, incident response, remediation.... you get the point.
Second, the number of products dictates how much time is need to keep up with new versions/patches/etc. If the McAfee admins aren't already experts with the software, double or triple this to include time for self-study, or even formal training/certification.
Finally, the size of the environment matters far less than the complexity of the environment. I've done 200,000 node deployments in less than 3 days, and 15,000 node deployments that took 9 months.
:::Hopefully obvious afterthought:::
Most places need at least two or three people to be involved, just for redundancy (not necessarily 100%, full-time McAfee). Almost everywhere I've been these folks are considered essential staff and would be on-call 24/7.
That is a very helpful answer thankyou. I realise it was a bit of a vague, open ended question, but this will give me something to jot down on paper and elaborate on for upper management
1 of 1 people found this helpful
We are a shop much like you. We use SCCM as well, we have roughly 3000 nodes, 500 are mobile. We have been using McAfee for ten years. We have deployed HIPS, also only in firewall mode, we are a mix of mostly XP and moving to W7. During all those times I spent an hour a day administering McAfee products.
For nearly the last year I have been full time dedicated to McAfee products. We choose EEPC 6 a year ago, at the same time we put in HDLP 9, encrypted thumbdrives and the normal updates and troubleshooting of the products.
In the last year we have only managed to get <300 devices encrypted, HDLP is not in any enforcement mode nor have we had an opportunity to even create rules, we have not been able to even think about the encrypted sticks, and we are still fighting encryption on a daily basis.
We brought in Professional services for 2 weeks to suppliment the initial deployment and another contractor has been on site for 3 months doing laptop encryption. We determined within the first week of the professional services, that there were significant issues with the products and had to re-evaluate the deployment senario.
Deploying agents and AV is easy, and the other comments about it varies are very true.
Once ePO is running, the rules are in place, things have calmed down then perhaps not a FTE, but I would plan on an FTE for a year, while someone determines what you are going to control with HDLP, what your firewalls should be, works through the encryption bugs.
By the time you get an FTE ePO 4.6 and perhaps eePC 6.1 will be out and that should make life better. If you are going down eePC 5.x route, then that product is not so buggy and you may get away with lesser staff.
Just a few thoughts off the top - theres a ton more but I have limited time so:
Learn how to create queries and apply them to dashboards in 4.x - Use them to stay aware of whats happening in your enironment - create tickets to remediate workstations & servers that are infected. Follow up on those tickets daily.
Test upcoming new patches / software on test workstations:plan out test, pilot, deployment, cleanup phases of upcoming ppatches and software updates according to McAfee's release schedule. Work with appropriate groups to get these updates scheduled and deployed.
Run Compliance Reports from your ePO console twice a week (Tuesdays and Thursdays) for both servers and workstations, then create tickets to the appropriate groups to have the non-compliant devices remediated. Non-compliant devices are usually out of date on their dat files, outdated Agent software etc. Keep a spreadsheet with the list of non-compliant devices and their associated ticket numbers and a status for each. Change the status to closed once someone has reinstalled an ePO agent or has update a device that previousy had out dated software.
Verify you have a database backup for the week
Check the size of the database.