6 Replies Latest reply on Oct 27, 2011 4:00 AM by sbackstr

    EEFF 4.0: User Based Policy for CD/DVD Encryption?

    safebootninja

      I have downloaded and checked in ePO the long awaited EEFF 4.0 extensions/software. I had no problems creating/defining policies and was excited to start testing the new product.

       

      But.......

       

      My enthusiasm was deflated when I could not create a CD/DVD Encryption User Based Policy. Why would McAfee do this when this option existed within EEFF 3.x.x? We could always assign separate CD/DVD Encryption policies to EEPC users/groups in the past. Sure, we want to assign this UBP to our Active Directory users/groups but this should be no different. Just assigning separate polices per system will not do. This was one of our core requirements when implementing EEFF to our environment. I called support and they informed me that this was by design but I could not get an answer as to why. Does anyone out there know why this feature was eliminated? Was the professional services staff notified of this change? We were not informed of this by our visiting professional services person before our deployment.

       

      At this point we cannot move forward with an upgrade and we are stuck with 3.x.x until EOL. I will be submitting a modification request with the hopes that this will be rectified soon.

        • 1. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?

          why can't you assign the CD/DVD policy to a user? maybe I am missing something, but I thought all the policies could be System or  UBP? Just create a policy assignment rule for a user, and it will override the system policy? 

           

          Message was edited by: SafeBoot on 8/31/11 4:27:16 PM EDT
          • 2. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?

            One of the experts pointed out this video which might be helpful - https://community.mcafee.com/videos/1271

            • 3. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?
              safebootninja

              I have watched the video. And although it is very helpful, I still do not see the option for CD/DVD Encryption (UBP). Unless I am missing something?

               

              Screenshot below from the video. This is ePO 4.6.

              EEFF_40_UBP.bmp

               

              Screenshot below from my ePO 4.5 Build 1093 server. I do believe it should say CD/DVD Encryption (UBP)

               

              EEFF_40_UBP_2.bmp

               

              Same options as in the video.....

              EEFF_40_UBP_3.bmp

               

              McAfee Support has informed me that this feature is not included by design. I would like to know why and is it going to be added back in an upcoming patch?

              • 4. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?

                It would be nice to see a response from McAfee on this....

                 

                I too require CD/DVD UBP functionality and would like to know how I can do this without this feature...

                • 5. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?
                  safebootninja

                  Here's an update:

                   

                  I have ended up managing this feature with machine based policy ruleset because McAfee's official stance is... 'This was a designed content feature and it will not be changed'. I don't know how true this is but my business team cannot wait any longer to deploy this product so I had to move forward. Here is what I decided to do:

                   

                  - Created two machine based policies in ePO to cooincide with our business team's requirements. As you probably know, using CD/DVD encryption will encrypt the entire disk image and will not allow you to share documents via the self-extractor option. We had to provide exceptions to allow our customers to continue to work as normal, until they can find an alternate method of shaing this data with individuals outside of the environment. The policies we created were CD/DVD Enforce and CD/DVD Exempt.

                  CD/DVD Enforce - Use the defined encryption key to encrypt disk based media creation.

                  CD/DVD Exempt - Use a "No Encryption" key for any disk based media creation.

                  - Created custom tagging rules in ePO based on custom props DWORD entries (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps). When the DWORD reads CD/DVD Enforce or CD/DVD Exempt the proper tag is applied to the machine object in ePO.

                  - Created policy assignment rules based on based on custom tagging entires.

                  - Created a wrapper for the EEFF 4.x installation package that changes the custom props DWORD entries.

                  - Created software distributions in SMS/SCCM based on AD group.

                  - Created queries to show compliance summary for each policy to monitor and maintain the exceptions.

                   

                  It is important to note that with this setup, you will have to keep an eye on how many machines are obtaining this policy. Based on the software distribution configuration, any end user that is assigned the "Exempt" installation package can create this policy for any PC that they log into. There is a risk of non-encrypted data leaving the perimeter on CD/DVD but you can monitor that using queries based on the custom tagging.

                   

                  I have been asking for a case study or client to communicate with from our support rep but that has fallen through. Any other point of view would be greatly appreciated.

                  • 6. Re: EEFF 4.0: User Based Policy for CD/DVD Encryption?

                    The observed behavior is correct and will be rectified in EEFF 4.0.1 such that CD/DVD encryption can be assigned on a User-basis as well.

                    The final planning for EEFF 4.0.1 is currently in progress so it is not possible to announce any committed release dates as of now.