9 Replies Latest reply on Apr 20, 2011 3:46 AM by whgibbo

    EEPC 6.1: Feature to auto-enable UBP enforcement for users

    DPE

      Hi,

       

      After upgrading to EEPC 6.1, i've become increasingly annoyed by teh fact that i now have to configure UBP enforcement for my users as i create new AD users almost on a daily basis.

      Is there any way of automating the process of enabling UBP enforcement for my users - maybe as a server task? If not, please make it possible to do so.

       

      /David

        • 1. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users

          Can you please describe this in more detail? Why do you have to modify the UBP every time you add new users in AD?

          • 2. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
            DPE

            Of couse.

             

            This does not have to do with the UBP itself, but with new users having the right to utilize my UBP.

            When i add users to my AD, they are synched to EEPC/ePO. In order to enable the use of my user based policies for these new users i have to:

            1: Enter the reports in ePO

            2: Run the 'EE: Users' report.

            3: Locate my newly synced users, select them all, and use the actions menu to enable 'UBP enforcement' for these users.

             

            This i have to do every time new AD users are synched to EEPC/ePO, which for me is several times a week. I want this automated.

             

            If i do not do the 'UBP enforcement' for new users, i am unable to activate encryption on clients until this is done. As i can read from the documentation, the 'Default McAfee' policy is used for the users that does not have 'UBP enforcement' enabled - however, as my company isn't using the default policies, we are forced to configure 'UBP enforcement' every time new AD users are synched. If we dont, it is our experience that  PC's installed after the new users are synched will not be able to start encryption - this is also proved by an error in the client MfeEpe.log.

             

            Message was edited by: DPE on 4/19/11 3:34:24 PM CDT
            • 3. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users

              Thanks for that clarification. When you go into the system tree and select the machine's group, what do you see in the "assigned policies" tab? If you have assigned the desired UBP here, then you shouldn't have to mess with the "enable UBP" step that you are doing now. If this screen says "my default", then you should edit the assignment so that it instead says your desired UBP.

               

              I think the critical statement in the documentation is this one: By default, all users inherit the default User Based Policy assigned to the system.

               

              You should only have to do the custom UBP if you want your system to deviate from the UBP assigned to the group.

              • 4. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
                DPE

                I can verify that my system tree machine groups only have custom policies assigned to them. The default McAfee policies are only assigned on the top folder, which is not used. Inheritance is broken down the tree, so i've manually assigned my custom policies to all my system tree folders beneath the top folder.

                • 5. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
                  whgibbo

                  Hi DPE,

                  I believe that you are talking about the ''configure UBP enforcement', this should ONLY be enabled for a user when you have created a Policy Assignment rule for a EEPC User based Policy for this user.  It is not required to be enabled for every user, doing so will cause extra work for your Agent Handlers.

                   

                  By default the User Based Policy Assignments are processed by the Agent Handlers, being invoked from the McAfee Agents.  The McAfee Agent will only request the user based policies for the currently logged in user. 

                  But for EEPC, we need all the user based polices for all users.  So this is what 'configure UBP enforcement' was created for.  It is to allow EEPC to tell the McAfee agent to request the user based policies for these users as well.

                   

                  The important thing to remember for EEPC is as follows:

                  • All users will automatically use the User Based Policy assigned to the machine (which can be inherited from the ePO branch)
                    • Unless the 'configure UBP enforcement' has been enabled for the user, which means you will need a user based policy assignment rule defined.
                  • Policy assignment rules are normally only created if you have users/machines using different token types.
                    • In which case assign the machine/branch the User Based Policy for the major majority of users and then create a policy assignment rule to cover the minority.
                  • If you only use one token type, then normally you would not use policy assignment rules or 'configure UBP enforcement'.

                   

                  Hope this helps

                  • 6. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
                    DPE

                    THANK YOU!

                     

                    That helps a lot. It seems i've misunderstood something, just as i expected.

                     

                    You're right, that i have a policy assignment rule set up. But, since i also have the policies assigned to all my machines in the system tree, i actually dont really need the rule?

                     

                    What would be the best way to remove my policy assignment rule, and disabling UBP enforcement for my users, without affecting my test clients? I only use password token in my environment.

                     

                    Message was edited by: DPE on 4/20/11 3:00:19 AM CDT
                    • 7. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
                      whgibbo

                      Hi..

                      You need to do the following :

                      1. Ensure that the User Based Policy(UBP) you are using in your policy assignment rule is assigned to the branch the test machines are assigned or to 'My Organization'
                        1. If you do it to 'My Organization', ensure that you have broken the inheritance on the branch or the machines.
                      2. Then we need to disable the 'Configure UBP Enforcement' for the users you have enabled it for..
                        1. So I would edit the EE users query to include the 'UBP enforcement' column and then sort by this.. And run the query
                        2. Then you will have tick the users individually that have 'UBP enforcement' set to true.
                        3. Click the Actions->Endpoint Encryption->Configure UBP Enforcement and select 'disable'
                      3. Then you can delete the policy assignement rule.


                      Let me know how you get on..

                       

                      Helpful Tip of the day:  If you are only planning to use the password token only, in your EE LDAP Sync you can leave the edit box for the 'User Certificate' empty.  This will stop certificates from being synced from AD and reduce the SQL Storage..

                      • 8. Re: EEPC 6.1: Feature to auto-enable UBP enforcement for users
                        DPE

                        Thanks so much for this information. Really helpful!

                        Now, i'll get on my way removing the rule and assignments for my users. I'll let you know how it turns out.

                         

                        Thanks again!