8 Replies Latest reply on Jul 15, 2011 5:11 AM by whgibbo

    Resetting users password

    Dvanmeter

      Maybe I am just so use to EEM 5.x way of doing things, but I cannot find anything on how to reset a user password token.  What if a user has a laptop that has not been used for awhile, they changed their password 3 months ago and they do not remember their old password.  How do you reset the token (password) in EEPC 6.x?  In 5.x you just found the user Id, right clicked and chose reset where you could use the default or set one, you could also reset the sso info.  Is there a similar function in EEPC 6.x?

        • 1. Re: Resetting users password
          kink80

          You would have to have the user go to a machine they assigned to and click on Options > Recovery > Administrative Recovery then you would go to your eo server console and navigate to Menu > Data Protection > Encryption Recovery. Enter the challenge code provided from the users machine. Choose User Recovery > Reset Token. Then read the response code to the user and have them enter it on their machine. New password dialog box will open.

          • 2. Re: Resetting users password
            Dvanmeter

            Wow, thats a big change.  So there is no access to user accounts to reset sso or reset password from the EPO Console.

            • 3. Re: Resetting users password
              SCtbe

              This is not true. There is another way to do this.

              You can run EE: User query form Endpoint Encryption group, and you are able to reset token (for example password), clear SSO, force user to change password and two others.

               

              But these options require server - aganet communication of course.

               

              Message was edited by: SCtbe on 7/14/11 7:00:12 PM CEST
              • 4. Re: Resetting users password
                kink80

                Thanks SCtbe I have not had to reset a users password in so long I forgot about the way you mentioned above.

                • 5. Re: Resetting users password
                  Dvanmeter

                  Thanks for the info, I would have never thought to look at a query report?  Kind of weird to do it there rather than just make an object called "EEPC User Tokens" or something like that within the encryption interface.

                   

                  EEPC in EPo is a bit frustrating.  Why not make a single Icon like they do for Rogue Sensors.  Call it EEPC Management.  Under that they would have a section for managment of LDAP users, a section to manage computers,  etc.

                   

                  On the Client side, there is an epo agent, a eepc agent, a eepc software.  EEPC is called version 6.1, but it is mostly referenced as 1.xx in EPO.  In the old 5.x agents, you could see information passing by like user token changes, added users, errors in syncing in the agent.  Now I have to open up the EPO agent, the Encryption Agent which I dont get much information from.  I cannot now tell approximately how long it gonna take to encrypt and decrypt like before.  There is no buttons on the EEPC agent to tell it to check for updates, users, etc,  I have to go back to the EPO agent and tell it to send events, check policies ,enforce policies,?  Then I have to go look in a log file if I want real information.

                   

                  Then there is the actual encrypting process.  First I setup a policy to tell it to encrypt and one to decrypt, but then I have to tell it to deploy  two programs.  So now if I want to remove encryption I have to change a policy, then change a task.  It would be nice to have a single button to encrypt or a single button to decrypt.  Oh and if I dont have a user assigned it will not encrypt, even though I have a group assigned,  but it never tells you thats why its not encrypting.

                   

                  This seems much harder than 5.x. Most likely because our EPo is setup to manage all computers and laptops in a large orginization and management of several mcafee products and trying to go from a system that just managed mobile devices and was structured specifically for just that.

                   

                  Seems to be not very fluid in how it is setup and things are in all different spots. Sorry, just wanted to release some of my frustation.  Just my opinion

                  • 6. Re: Resetting users password
                    whgibbo

                    Hi Dvanmeter,

                    Sorry too hear of your frustration..  We will take this onboard and see if we can feed some of these into future builds.

                     

                    Dvanmeter wrote:

                    Oh and if I dont have a user assigned it will not encrypt, even though I have a group assigned,  but it never tells you thats why its not encrypting.

                     

                    If you have a group assigned, it should activate providing that LDAP Group/OU has some users within it.  If this is still a problem, then we will look at it.  So if you could provide additional information, such as the group type (OU/Ldap group) and number of users that are within in.

                    • 7. Re: Resetting users password
                      Dvanmeter

                      Thank you for replying.  The part I was referring to with the users not assigned is it seems in my testing there are two tabs.  One is Systems and one is Group Users.  If I do not have a user assigned at the computer level but the user(s) are assigned under the Group Users then the machine doesnt appear to encrypt.

                       

                      Lets take my own laptop for example.  I am part of the Group users Assigned at the top orginization level.  I have rights to login to all laptops under that with this permission.  On my own machine I could not encrypt the system until I went under the systems tab, found my computer, and assigned my ldap name to it *** someone who could sign in.  I already have the rights to sign in at the top orginization level, but since no user was assigned at the computer level it would not encrypt and there was no indication on this was the problem.  Maybe a message in the EEPC client that says "No users assigned -encryption halted!"  Would have been a nice thing so I new what the problem was right away. 

                       

                      After some thought I guess its not such a bad deal since we only encrypt laptops and not desktops.  Someone with access to the client tasks could accidentally deploy the task to install the EEPC Product to all machines and then all computers would encrypt.  If someone doesnt go to the system and assign someone then it would be bad.

                       

                      Just one other note.  For years Mcafee has misidentified computers with the case type "Lunchbox" as a laptop when they are not.  Many of our Dell Small ultra small form factor report this case type with a wmi query.  They are all reported as laptops in EPO because of this.  This makes automation a bit of a headache.  I had to use custom properties to run a script I wrote that writes the make, model, case type, and serial.  I wish this info was in EPO by default.  It would help in encryption quite a bit.  Would also help find duplicate machines that perhaps were rebuild.  you could look at duplicate serials.

                      • 8. Re: Resetting users password
                        whgibbo

                        Hi,

                        Dvanmeter wrote:

                         

                        Thank you for replying.  The part I was referring to with the users not assigned is it seems in my testing there are two tabs.  One is Systems and one is Group Users.  If I do not have a user assigned at the computer level but the user(s) are assigned under the Group Users then the machine doesnt appear to encrypt.

                        This shouldn't be the case, the machine will active if the you assign users/Groups/OUs at the branch level and no users assigned to the system.  I do this every day whilst developing/testing EEPC.  So this is very strange..  Just a thought, you haven't accidentally broken the heritance on the branch the machine is assigned too ?  As this could have the effect that you are seeing..  If you goto the branch the machine is assigned to and click on the group tab, it should list all the users/groups/ous assigned to the branch.

                         

                         

                        Dvanmeter wrote:

                         

                        Just one other note.  For years Mcafee has misidentified computers with the case type "Lunchbox" as a laptop when they are not.  Many of our Dell Small ultra small form factor report this case type with a wmi query.  They are all reported as laptops in EPO because of this.  This makes automation a bit of a headache.  I had to use custom properties to run a script I wrote that writes the make, model, case type, and serial.  I wish this info was in EPO by default.  It would help in encryption quite a bit.  Would also help find duplicate machines that perhaps were rebuild.  you could look at duplicate serials.

                         

                        This is related the McAfee Agent, so if you could send me the information in a private message I will try and get this sent to the correct team.

                         

                        Many thanks