7 Replies Latest reply on Aug 8, 2012 4:22 AM by jontownsend

    How to encrypt a PC without joining in AD

      Hello,

      I have a one big issue. I should encrypt a PC that is not joined in AD and will not in the future.

       

      Company needs to encrypt PC with local windows user only.

      1) I have standalone deployd McAfee Agent, EEPC Agent and EE Windows. (I'm using ePO 4.6 EEPC 6.1.3)

      2) What is the next step? How to set a user for encryption? without LDAP sync?

       

      Has a McAfee any solution for PC's that are not joined in AD? any docs?

       

      thanks in advance

       

       


       

      Message was edited by: frince on 8/7/12 4:26:31 PM CDT
        • 1. Re: How to encrypt a PC without joining in AD

          The PC does not have to be part of the AD, but users assigned to it do if you are using EEPC6 (EPO only knows how to read users from AD).

           

          If you want something completely stand alone with no connection to AD at all, you can use EEPC5 which has self-contained user management.

          1 of 1 people found this helpful
          • 2. Re: How to encrypt a PC without joining in AD

            SafeBoot

            thanks, as always you are first helping me, but to be honest, I really don't understant why in new version EEPC 6.x.x has not self-contained user management?

            I think all company have some laptops that should be encrypted completely stand alone.

             

            1) What documentation I need to download to provide solution what I'm searching for (with EEPC 5)?

            2) As I gues, I do not need to change my current topology in ePO. I will install only EEPC5 agents on a single PC.

             

            Message was edited by: frince on 8/7/12 5:11:31 PM CDT
            • 3. Re: How to encrypt a PC without joining in AD

              Really because most people who use EPO (not all!) also have AD as well - it was designed for the mid-size and up market.

               

              EPO will get stand alone user management towards the end of this year, or maybe even sooner, in EEPC7.1

               

              re your questions though

               

              1. Not sure what you need - your McAfee rep can get you everything for EEPC5 though, and also you'll find it in kc.mcafee.com?

              2. No, EEPC5 barely uses EPO (it's optional for reporting and deployment only) - EEPC5 is a stand alone self contained environment.

               

              Remember though - EEPC6 does not need the machine to be part of AD - it just needs you to assign users from AD to the machine (so there are some names of people to login) - if the machine is not part of the domain, it does not matter. 

              1 of 1 people found this helpful
              • 4. Re: How to encrypt a PC without joining in AD

                SafeBoot

                 

                 

                SafeBoot wrote:

                 

                Really because most people who use EPO (not all!) also have AD as well - it was designed for the mid-size and up market.

                 

                EPO will get stand alone user management towards the end of this year, or maybe even sooner, in EEPC7.1

                 

                I'm waiting of this version (EEPC7)

                 

                re your questions though

                 

                1. Not sure what you need - your McAfee rep can get you everything for EEPC5 though, and also you'll find it in kc.mcafee.com?

                2. No, EEPC5 barely uses EPO (it's optional for reporting and deployment only) - EEPC5 is a stand alone self contained environment.

                 

                If so, than I will install on a standalone PC EEPC5

                 

                Rember though - EEPC6 does not need the machine to be part of AD - it just needs you to assign users from AD to the machine (so there are some names of people to login) - if the machine is not part of the domain, it does not matter.

                 

                I don't understand, If a PC is not joined in AD, how user from AD can login into a PC? Why I need to assign users to the mashine if this mashine does not recognizes AD /LDAP users?

                • 5. Re: How to encrypt a PC without joining in AD
                  jontownsend

                  The thing to remember is your Encryption account is in fact not your AD account. They are 2 seperate entities and AD is just the mechanism for generating Encryption users. Create an account in AD for the user in question and assign it to the client which is not part of AD. As long as SSO is disabled on the client in question you will be able to sign in with the new Encryption account and sign into windows with whatever credentials they used previously.

                  • 6. Re: How to encrypt a PC without joining in AD

                    jontownsend wrote:

                     

                    The thing to remember is your Encryption account is in fact not your AD account. They are 2 seperate entities and AD is just the mechanism for generating Encryption users. Create an account in AD for the user in question and assign it to the client which is not part of AD. As long as SSO is disabled on the client in question you will be able to sign in with the new Encryption account and sign into windows with whatever credentials they used previously.

                     

                    OK, For a PC encryption, ePO needs to generate users from AD/LDAP, without this it will not encrypt, am I right?

                    As I understand this option is only for starting encryption process on a PC that needs ePO, because before/after thsi encryption we can not use/login with assigned AD user on a PC

                    • 7. Re: How to encrypt a PC without joining in AD
                      jontownsend

                      Yes you cannot start Encryption without a user assigned to the client. The AD account will purely be used to sign in to the device through pre-boot. It actually has nothing at all to do with AD it is just a means of getting through encryption. It will then drop you at the normal Windows logon prompt where you can enter your Non AD credentials to access the laptop.