3 Replies Latest reply on Dec 27, 2011 11:55 PM by georgec

    Newbie ? about Groups


      I'm starting a rollout of EEPC 6.1.3 and am getting a bit confused concerning Users and Group Users.  Here is the scenario:


      Our ePO directory is setup by our organization's departments.  (For instance, all machines in Accounting are in a group called ACCT.)


      Rollout will involve 50 laptops.  40 of these are in one department which will have multiple users logging into each.  Some users will be attempting to log in while not on the network.  The remaining 10 will be on laptops in various departments and should only have one user logging into each.  The rollout will be a very "hands on" event, with our Desktop Support staff assisting with each laptop.


      I've checked  the EE components into ePO, registered my AD domain controllers in ePO, created a daily sync task, and set up the Product Settings Policy and the User Based Policy as per the Best Practices guide.  I've also created two "deploy" tasks; one to install the Agent and the other to install the software.  I've created a Tag (EEPC Deploy) which I will manually assign to each of the 50 laptops.  This same Tag I'm using in the two Deploy tasks to ensure that EEPC will only be installed on the proper systems.


      I've created a new AD group (EEPC) with the thought of putting all end users of these 50 machines in it and then assigning this group to the root of my ePO tree which will propagate down through the rest of the tree.  My reasoning is that the end users should then be "users" of their laptop regardless of where the laptop is in the ePO tree.  (I've tested this on one laptop with my own and a colleague's domain account and it seems to work fine.)


      I thought I was doing pretty well with this scheme until I read the following in the Best Practices guide (also repeated in the Unofficial Quickstart Guide):

      Group Users are EEPC user accounts that will be provisioned to every encrypted machine. These are meant as admin accounts that can be used for troubleshooting or support. In this example, they are essentially back door accounts that can log in to any system that you encrypt. For production, we would not recommend having back door accounts but it tends to make things easier during an evaluation or proof of concept.


      Further researching seems to indicate that most people add Users right at the machine level.  This seems like a lot of work.  What am I not understanding?  How can I make this rollout better, or more effecient?


      Thanks in advance!

        • 1. Re: Newbie ? about Groups

          You're making a confustion between active directory groups and Endpoint Encryption Group Users. The guide refers to the section of the console where you can assign users to a group of computers (the section of the menu where you assigned the AD Group to the root of your system tree).


          What that guide says is "Don't add users to the root of your system tree because they'll be able to lon on to all the machines". It really depends on you on how strict you want to go. And the part with "These are meant as admin accounts that can be used for troubleshooting or support.", that's simply the way McAfee recommends of using them.

          The product has a limitation on the number of users that you can assign depending on the PBFS size, and if you exceed a certain number of users (300+ and may vary on because of the info that has to hold on every user, like certificate authentication, answer questions and other stuff) it might crash, but this is not the case for you and your 50 laptop/users. It's also recommended to use as few as possible users on the machines.



          I'm using a different approach. I use the "Add local domain users" where the users are added automatically to a machine based on the existing windows profiles + 3-4 manually added service users accounts at the system tree root level.

          • 2. Re: Newbie ? about Groups

            Thanks, George.  I think I understand.  Basically, what I've created - and how I've used it so far - is exactly what McAfee recommends: Use the User Group for administrative purposes and let the "Log on" tab settings dictate users at the machine level.  (The Log on tab currently is set to "Only add currently logged on local domain users".)


            I guess what I was trying to prevent was a scenario such as this: A new employee is hired to work in the department that has 40 laptops.  Not knowing exactly which laptop they will be using, I could just put them in my new EEPC AD group.  But, especially considering there is a max number of users EEPC can handle, it looks like I need to bite the bullet and just add the new employee manually to any laptop they might need to use.  I suppose this will eventually lead to helpdesk calls since they could easily pick up a laptop they haven't been added to, but it is starting to sound like there is no good way around this.


            Is this what you do for new users of a laptop that is already encrypted?  Or am I still missing something?


            Thanks again!

            • 3. Re: Newbie ? about Groups

              I usually install the encryption after the user gets his machine. You can deploy it live and this way you'll know he has a profile on it.


              If a new employee will be working on an already encrypted laptop... helpdesk can log on into preboot and allow him to log into windows, or do a one time remote recovery so he can boot it himself.



              1 of 1 people found this helpful