1 Reply Latest reply on Nov 4, 2011 5:11 PM by DLarson

    EEPC Mass Deployment Approach

      Hi All,

       

      I am after the best practise approach for mass deploying EEPC to laptops. For arguments sake lets use 1000 endpoints. Surely deploying the product on an ad hock one at a time would not necessarily be the best approach?

       

      My thinking was:

       

      Mass deployment tasks.

       

      1. Deploy EEGO (evaluate disk status for EEPC ready state)

      2. Deploy EEAdmin and EEPC in same manner as (1) whilst utilizing a 'disabled' policy and removing the reboot prompt after EEPC deployment.

      3. All endpoints would then require a reboot which can either be;

      3.1 Scheduled via existing methods.

      3.2 Wait until users reboot manually.

      3.3 Requesting this via end user communication.

      4. Enable EEPC to start the HDD encryption with autoboot enabled meaning no change in user experience.

       

      Scheduled policy changes.

       

      5. Schedule and communicate the activation of PBA to a predetermined number of endpoints, 20, 50, 100...?? per day (Not sure what the best practise here would be). Sure this would depend on the user communication and they way they understand and handle the change.

       

      Any other ideas or recommendations of approaching a quick turnaround. Real examples would be appreciated.

       

      Thanks.

       

      Message was edited by: wcoetsee on 3/11/11 7:03:14 PM
        • 1. Re: EEPC Mass Deployment Approach

          This is a very good approach and one that I have generally advocated for a long time - all the way back to the SafeBoot days. The beauty of temporarily using autoboot mode is that it eliminates the possibility of any end user helpdesk calls for password issues or user account issues. So if you do get a helpdesk call while in that state, you can jump directly to the more advanced troubleshooting.

           

          There are lots of other things to consider for deployments...

          1. Do you want a single deployment process for all scenarios? For example, new systems and already-deployed systems may require different install processes ... so can you compromise and find a way to do them all the same? This depends on your security and process requirements, but most people do like to have a single process.
          2. How are you going to handle re-imaged systems? Do you have ePO setup to prevent duplicate GUIDs? Will you use the OS Refresh Utility so that the disk can retain its encryption through the re-image process?
          3. Do you want to speed along the activation process with custom scripts? Out of the box, EEPC will wait for an ASCI and in large organizations that may be set to 4 hours. That means you have to wait 4 hours after the reboot before EEPC event attempts to start encrypting. You can use the command line interface for the McAfee Agent to programmatically trigger ASCIs during the EEPC install process.

           

          What other challenges or considerations has the community faced?