I would suggest first creating and configuring the policy from the ePO web console. From there, you can automate the assigning of the policy to a system group. Here is some example code for a script to assign an Endpoint Encryption policy (MyPolicy) to a specific group (MyGroup):
# establish connection to the ePO server
mc = mcafee.client('hostname', 8443, 'username', 'password')
# find the correct group
group = None
for item in mc.system.findGroups('MyGroup'):
if item['groupPath'] == 'My Organization\\MyGroup':
group = item
if group == None:
raise Exception('Could not find group')
# find the correct policy
policy = None
for item in mc.policy.find('MyPolicy'):
if item['featureName'] == 'Endpoint Encryption':
policy = item
if policy == None:
raise Exception('Could not find policy')
# assign the policy to the group
mc.policy.assignToGroup(str(group['groupId']), str(policy['productId']), str(policy['objectId']))
Just a note to let you know that I edited the original post to include the new category "ePO Web API" that I have created today. This will help to organize the Web API content better, while letting people filter Web API content from the rest.
More categories will come soon.
Can the same be done to achieve the follwing:
- Assign tag/policies to a list of systems provided in a text file
- Perform a agent wake-up to these systems
- Provide a list of systems that have successfully disabled PBA
Customer patch the systems, new script to:
- Re-assign tag/policy to enable PBA
- Perform a agent wake-up to these systems
- Provide a list of systems that have successfully enable PBA
Most of what you are trying to accomplish is possible. However, it is currently not possible to determine whether PBA has been successfully disabled or enabled. The closest we can get it to use the Web API to determine what policies have been assigned to a system. Nonetheless, some other EEPC system properties, such as the disk state (i.e. Encrypted or Decrypted) are stored in the database and may be quered on.
I have not fully tested all of what is described below, but the information should at very least provide some assistance while writing your scripts.
Policies can be applied to a system similar to what was described above:
systems = "System1,System2,System3"
mc.policy.assignToSystem(systems, str(policy['productId']), str(policy['typeId']), str(policy['objectId']))
Apply tags using:
To perform an Agent wakeup:
# fullProps and forceFullPolicyUpdate are optional, but are parameters I use often
mc.system.wakeupAgent(systems, fullProps='true', forceFullPolicyUpdate='true')
To get EEPC properties for systems, users, etc., you'll have to dig a little deeper and use the core.executeQuery command. (See the The Web API Scripting Guide for more information about this command). EEPC disk state of a system is type enum, as described when you run the command mc.core.listTables('Endpoint Encryption - Disk status'). Note that 0 is Encrypted, 2 is Decrypted.
# get the the system id based on system name:
mySystem = 'MySystemName'
result = mc.core.executeQuery(target='EPOLeafNode', select='(select EPOLeafNode.AutoID)', where='(where (eq EPOLeafNode.NodeName "' + mySystem + '"))')
id = result['EPOLeafNodeAutoID']
# get the EEPC disk status of the system:
results = mc.core.executeQuery(target='EPEDisks', select='(select EPEDisks.DiskAutoId EPEDisks.State)', where='(where (eq EPEDisks.EPOLeafNodeID ' + str(id) + '))')
for result in results:
disk = result['EPEDisks.DiskAutoId']
state = result['EPEDisks.State']
if state == 0:
print 'Disk id %s on system %s is Encrypted' % (disk, mySystem)
elif state == 2:
print 'Disk id %s on system %s is Decrypted' % (disk, mySystem)
print 'Disk id %s on system %s is in another state' % (disk, mySystem)
We have a similar need that perhaps the scripting may be of use. we are needing to assign a group of users to EECP based off a tag or System name. For example, We create a department tag if the name starts with xxx-. HRD- would stand for Human resources Desktop and HRL- Human Resources Laptop. I would then need to assign all HR people (Active Directory Group) to sign into any computer with this tag rather than going to each computer and doing this manaully. Are current EPo design is around Ip space, not AD groups or department. HR may be spread out all over different space.
Is there a way to script this action to occur?
There is currently no explicit capability to assign AD users to a system based on tag or system name. If you would like to see this feature in a future release, please fill out a Product Enhancement Request:
For now, I would suggest trying filtering your systems and adding users as so:
1) Navigate to Endpoint Encryption Users
2) Select the "My Organization" node in your System Tree
3) Select the Custom filter dropdown and click "Add..."
a) Add the System Name property and set the Comparison to "Starts with". In the Value field, type "HR"
b) Add the Tags property and set the the Comparison to "Has tag". In the Value field, select the desired tag.
5) Click the Update Filter button.
6) Now click the Select All checkbox to select all of the systems.
7) From the Actions dropdown, select Endpoint Encryption > Add Users
8) Set the AD user or group criteria as desired and click OK.