A couple of notes regarding user syncronization w/EEPC 6 and ePO:
- Unless the process is accelerated (see below), user syncronization falls to the timing of your ASCI (agent server communication interval) policy. Your ASCI can be found by reviewing your Policy Catalog, see: McAfeee Agent > <policy name> > General > Agent to server communication.
- Even if you had an agressive ASCI set, another factor would be your ePO/Agent Hander configuration and how reachable your laptops are over your network. For instance, if you had a laptop sitting on a home network, and didn't have an internet-facing agent handler in place, user syncronization will not complete until the laptop re-enters your network and performs an agent to server communication.
For any of your laptops that are powered on and sitting on your network, they would benefit from you forcing an Agent Wakeup. You can accomplish this by querying the affected machines (by Laptop tag, EEPC Product Version, etc.) in ePO after you make a change to Group Users, then selecting all the objects from the query results, choosing Actions > Agent > Wake Up Agents and selecting the Policy and Task Update option.
Thanks for the response. I've used the agent wake up with the Force Policy and Task Update option and I'm not getting the results I'm looking for.
The devices we're talking about are on the LAN. One is a wireless laptop and one is a wired PC (virtual Windows 7) for testing.
My challenge is that I'll reset a token or enable the PBA, perform an Agent wake up, and then it's a waiting game for hours until the changes actually apply.
I'm starting to wonder if this is a McAfee or a Windows problem?
How long should it take a wireless device from receiving policy to turn on the PBA to the time the PBA is actually activated?
How long should it take to sync 15 or so new accounts?
How long should it take after resetting the token AND an agent wake up that the PBA prompts to enter credentials?
What does your ePO Server Task log say about the agent wakeup, success/failure? Likewise what does the Agent log from the machine(s) in question tell you? Have you tried doing a "Check New Policies" from the McAfee Agent Status Monitor on the machines in question? Are the results different?
You might want to ensure you don't have a firewall blocking server to agent communication, which you can test using telnet:
Q: How long should it take a wireless device from receiving policy to turn on the PBA to the time the PBA is actually activated?
A: It should be applied as soon as policy enforcement is started on the machine. Policy enforcement should begin as soon as ePO is able to communicate with the machine via the agent wake up you forced.
Q: How long should it take to sync 15 or so new accounts?
A: Account syncs may take several minutes, depending on the speed of communication between the client and ePO. They are different than a policy change, as they require the exchange of information from ePO to the machine, back to ePO, then back to the machine. This is supposed to be automated and is often referred to as "data channel" communication in some of the EEPC documentation.
Q: How long should it take after resetting the token AND an agent wake up that the PBA prompts to enter credentials?
A: This this would occur once the machine received and processed the instruction from ePO, then was rebooted, hence entering Pre-Boot Authentication (PBA) following the policy/EE user update.
Checked the log and communication is occuring.
All firewalls are turned off via GPO.
I think I may have found it - or at least the best we can do.
There is a log specifically for the encryption client in the C:\Program Files\mcafee\endpoint encryption agent\MfeEpe.txt.
This log stated that the MfeEpEncryptionInformationServiceClient is currently unavailable. KB73848 addresses a similar problem where the deployment task for EEPC and the policy refresh interval is so low that it ends any current tasks. This may have helped.
The other issue may be that I'm syncing about 50 accounts and I'm also guessing that the PBA won't be available until all 50 accounts are synced.