6 Replies Latest reply on May 26, 2011 11:40 AM by broot

    ePO 4.6 web API scripts to deal with EEPC boot authentication

      Hallo folks,

       

      has anyone made use of the scripting interface available in ePO 4.6?

       

      We're thinking of using this to assign policies to a group of machines, with the effect of disabling/enabling the endpoint encryption boot authentication setting.

       

      What I know of scripting is very dangerous, so I was hoping that someone might have some sample code they'd be willing to share?

       

      regards

      corne

       

      Message was edited by: ajacobs on 5/18/11 12:54:16 PM CDT
        • 1. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication
          broot

          Hi Corne,

           

          I would suggest first creating and configuring the policy from the ePO web console. From there, you can automate the assigning of the policy to a system group. Here is some example code for a script to assign an Endpoint Encryption policy (MyPolicy) to a specific group (MyGroup):

          -----

          import mcafee

           

          # establish connection to the ePO server
          mc = mcafee.client('hostname', 8443, 'username', 'password')

           

          # find the correct group
          group = None
          for item in mc.system.findGroups('MyGroup'):
              if item['groupPath'] == 'My Organization\\MyGroup':
                  group = item
                  break
          if group == None:
              raise Exception('Could not find group')
             
          # find the correct policy
          policy = None
          for item in mc.policy.find('MyPolicy'):
              if item['featureName'] == 'Endpoint Encryption':
                  policy = item
                  break
          if policy == None:
              raise Exception('Could not find policy')

           

          # assign the policy to the group

          mc.policy.assignToGroup(str(group['groupId']), str(policy['productId']), str(policy['objectId']))

          -----

           

          -Brad

          • 2. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication

            Hi guys,

             

            Just a note to let you know that I edited the original post to include the new category "ePO Web API" that I have created today. This will help to organize the Web API content better, while letting people filter Web API content from the rest.

             

            More categories will come soon.

            • 3. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication

              Hi All,

               

              Can the same be done to achieve the follwing:

               

              • Assign tag/policies to a list of systems provided in a text file
              • Perform a agent wake-up to these systems
              • Provide a list of systems that have successfully disabled PBA

               

              Customer patch the systems, new script to:

               

              • Re-assign tag/policy to enable PBA
              • Perform a agent wake-up to these systems
              • Provide a list of systems that have successfully enable PBA

               

               

              Thanks

              • 4. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication
                broot

                Most of what you are trying to accomplish is possible. However, it is currently not possible to determine whether PBA has been successfully disabled or enabled. The closest we can get it to use the Web API to determine what policies have been assigned to a system. Nonetheless, some other EEPC system properties, such as the disk state (i.e. Encrypted or Decrypted) are stored in the database and may be quered on.

                 

                I have not fully tested all of what is described below, but the information should at very least provide some assistance while writing your scripts.

                 

                Policies can be applied to a system similar to what was described above:

                systems = "System1,System2,System3"

                mc.policy.assignToSystem(systems, str(policy['productId']), str(policy['typeId']), str(policy['objectId']))

                 

                Apply tags using:

                mc.system.applyTag(systems, tagName="MyTagName")

                 

                To perform an Agent wakeup:

                # fullProps and forceFullPolicyUpdate are optional, but are parameters I use often

                mc.system.wakeupAgent(systems, fullProps='true', forceFullPolicyUpdate='true')

                 

                To get EEPC properties for systems, users, etc., you'll have to dig a little deeper and use the core.executeQuery command. (See the The Web API Scripting Guide for more information about this command). EEPC disk state of a system is type enum, as described when you run the command mc.core.listTables('Endpoint Encryption - Disk status'). Note that 0 is Encrypted, 2 is Decrypted.

                 

                # get the the system id based on system name:

                mySystem = 'MySystemName'

                result = mc.core.executeQuery(target='EPOLeafNode', select='(select EPOLeafNode.AutoID)', where='(where (eq EPOLeafNode.NodeName "' + mySystem + '"))')

                id = result[0]['EPOLeafNodeAutoID']

                 

                # get the EEPC disk status of the system:

                results = mc.core.executeQuery(target='EPEDisks', select='(select EPEDisks.DiskAutoId EPEDisks.State)', where='(where (eq EPEDisks.EPOLeafNodeID ' + str(id) + '))')

                for result in results:

                    disk = result['EPEDisks.DiskAutoId']

                    state = result['EPEDisks.State']

                    if state == 0:

                        print 'Disk id %s on system %s is Encrypted' % (disk, mySystem)

                    elif state == 2:

                        print 'Disk id %s on system %s is Decrypted' % (disk, mySystem)

                    else:

                        print 'Disk id %s on system %s is in another state' % (disk, mySystem)

                 

                 

                -Brad

                • 5. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication
                  Dvanmeter

                  We have a similar need that perhaps the scripting may be of use.   we are needing to assign a group of users to EECP based off a tag or System name.  For example, We create a department tag if the name starts with xxx-.   HRD- would stand for Human resources Desktop and HRL- Human Resources Laptop.  I would then need to assign all HR people (Active Directory Group) to sign into any computer with this tag rather than going to each computer and doing this manaully.  Are current EPo design is around Ip space, not AD groups or department.  HR may be spread out all over different space.

                   

                  Is there a way to script this action to occur?

                  • 6. Re: ePO 4.6 web API scripts to deal with EEPC boot authentication
                    broot

                    There is currently no explicit capability to assign AD users to a system based on tag or system name. If you would like to see this feature in a future release, please fill out a Product Enhancement Request:

                     

                    https://secure.mcafee.com/apps/downloads/products/products-enhancement-request.a spx

                     

                    For now, I would suggest trying filtering your systems and adding users as so:

                     

                    1) Navigate to Endpoint Encryption Users

                    2) Select the "My Organization" node in your System Tree

                    3) Select the Custom filter dropdown and click "Add..."

                    4) Either:

                        a) Add the System Name property and set the Comparison to "Starts with". In the Value field, type "HR"

                        b) Add the Tags property and set the the Comparison to "Has tag". In the Value field, select the desired tag.

                    5) Click the Update Filter button.

                    6) Now click the Select All checkbox to select all of the systems.

                    7) From the Actions dropdown, select Endpoint Encryption > Add Users

                    8) Set the AD user or group criteria as desired and click OK.

                     

                    -Brad