We currently use the LDAP synchronization to pull in users/computers into our ePO System Tree structure. We have a few domains in our System Tree and a fairly flat AD structure. Due to this type of structure, it would require multiple policies setup on all these domain subgroups under My Organization (System Tree). This would make things very cumbersome and require us to change the policies in various different places if we needed to revise it at a later time. This would also require us to move systems around to apply different policies and due to the LDAP synchronization, it would throw everything off. We decided to leverage the tagging capabilites in ePO 4.6 to deploy the EEAgent and EEPC client, along with assigning EEPC policies to the systems. We created a tag to Encrypt and a tag for Autoboot. Once the Encrypt tag is applied to a machine, the EEAgent and EEPC client are deployed to the system and once installed, the EEPC policies will be pushed down as long as users are assigned on the encryption level. If we remove the Encrypt or Autoboot tags, the system will start decrypting and the EEAgent and EEPC client will be removed once the decryption is completed. Should the computer be encrypted, if we were to apply the Autoboot tag, we can force our autoboot policy to be pushed down to the system and allow the PBA to be bypassed.
Is anyone else utilizing the ePO tagging features to deploy or maintain EEPC? If so, have you faced any challenges with this type of setup?
We also utilized the ePO Web API to write Python scripts that allow us to easily apply tags for encryption and autoboot, while also allowing us to clear tags to start decryption of a system. We have scripts that automate much of what can be done in the ePO console. Unfortunately, due to the Web API limitations, we are unable to automate the challenge/response system via our Python Scripts. A product enhancement request has been submitted and we hope this will be considered in a future release.