All we did was educate the end user to enter their domain password as their PBA password.
So you don't use password synchronization? What if you change the users domain password?
How do you add additional users that can login at the PBA?
Our ePO policies are exactly the same as yours, so yes we have password sync and any current users and and any new users that login to the device will be added to he PBA user list. As long as the user changes their password with ctrl+alt+del the domain and PBA password will sync. Using AD to reset a domain password will not be picked up by EEPC and you will end up with a different password in PBA to AD.
As an aside have you got ePO syncing with AD via LDAP. You need this to be setup to allow EEPC to work properly.
Useful tip - add your domain admin group to the encryption group so that any of your domain admins will be able to login on any PBA device.
So it is possible in your case that a user who has local admin rights can add a user, wich can then login with '12345' ? This won't be acceptable.
Yes, I have configured LDAP and added myself for now to the 'Encryption Users'
No not possible in our case for a non domain admin to manually add a PBA user. Firstly a user with local admin rights is not the same as a domain admin. Secondly, the only two ways for a PBA user to be added is either a user logs onto a device and automatically gets added to the PBA database due to the setting "Add all previous and current local domain users of the system" or users gets manually added to a system via ePO.
This post may help with understsnd password syncing - https://community.mcafee.com/thread/33429
As a rule of thumb if the password is out of sync we ALWAYS advise our end users to do a c+a+d password reset just to be sure passwords sync.
Helped a bit, thanks.
Our users arn't allowed to change their password
However, the problem still is:
Existing users (users with an existing local profile) can (must) login with the default password, before the domain password gets synchronized.