8 Replies Latest reply on Jul 26, 2013 8:40 AM by SafeBoot

    McAfee EndPoint Encryption is a non-AD environment

    twenden

      We have just started to evaluate the McAfee Endpoint Encryption product. Our environment does not currently utilize Active Directory. The documentation seems to mention that AD is a requirement if you want to manage Endpoint Encryption via McAfee ePO. We do utilize McAfee ePO in our environment but it is not synchronized with any Active Directory.

       

      Is there any way that we could install Endpoint Encryption standalone on laptops? If so, how to you go about doing this.

       

      We are about 18 months away from having full Active Directory in our environment.

        • 1. Re: McAfee EndPoint Encryption is a non-AD environment

          You can either use eepc5, which does not require a directory, or wait for eepc7.1 which offers user management within epo.

           

          You don't have to have your machines set up with ad, you just need a directory of users so you can assign them to machines, so you could stand up an ad just for this situation.

          • 2. Re: McAfee EndPoint Encryption is a non-AD environment
            alexn

            Hi,

             

            Any expected date for EEPC 7.1 with ePO 5.0 support?

             

            Thanks

            • 4. Re: McAfee EndPoint Encryption is a non-AD environment
              twenden

              Does McAfee still support EEPC 5.x with EEM? The release notes for the latest version shows that it will encrypt systems from Windows 2000 to Windows 7. It makes no mention of Windows 8. Is Windows 8 going to be added to EEPC 5.x?

               

              Our campus is about 18 months away from getting a company wide AD. Currently we use LDAP running on Redhat  for authentication with applications on campus. It does not control the user accounts on the users computer like AD would.

              I guess that EEPC must sync to AD and would not be able to use our Redhat LDAP server to pull users down?

               

              If EEPC 5.x is still supported and will support Windows 8 then I may start evaulating it as a solution.

               

              Message was edited by: SafeBoot on 7/2/13 11:53:06 AM EDT
              • 5. Re: McAfee EndPoint Encryption is a non-AD environment

                Windows 8 is a UEFI product, so no, EEPC5 will never support it - EEPC5 only supports BIOS systems. EEPC5 does support LDAP directories though, and you can create users directly in its management center (EEM).

                 

                If you need Win8 support, you're going to have to wait for EEPC7.1 and EPO5.1 which will have the ability again to create and manage users directly within EPO, and an API which you can use to integrate with other directories like your LDAP.

                 

                It doesnt matter that the OS does not pay attention to the directory.

                • 6. Re: McAfee EndPoint Encryption is a non-AD environment

                  Windows 8 can be installed in either UEFI or BIOS mode.  You may have to re-install new systems that come with Win 8 since they will most likely be in UEFI mode by default.  Most new desktop/laptop systems still support BIOS mode, but we have run into a few systems, mostly the new Windows 8 tablets that only support UEFI. 

                  • 7. Re: McAfee EndPoint Encryption is a non-AD environment
                    curo57

                    Can you expand on exactly what kind of support will be available for non-AD environments in 7.1?  We are currently running 5.x and are a very mixed environment; some AD systems, some not.  Getting every laptop on AD will be a challenge for us, thus our migration to 7.0 will be painful.  Are you saying that AD is no longer a requirement in 7.1?

                    • 8. Re: McAfee EndPoint Encryption is a non-AD environment

                      for the exact details you are going to have to wait for the release I'm afraid. But, basically you'll be able to add, import, modify etc users directly within EPO - much like you can in EEM now, and there will be an API you can use to programatically handle them.

                       

                      BUT remember - when you say

                      Getting every laptop on AD will be a challenge for us

                      You are missing the point that you don't have to have ANY laptops in AD - no version of EEPC cares about whether the device is registered against AD or not - the only thing you need is for your users to be listed in AD - they don't have to be using AD at all - you just need a directory of users so you can assign them to machines etc.

                       

                      Of course, the function to automatically add users based on cached domain creds won't work, but if you are happy to assign users manually in EPO, you don't need the machines in the field to be connected to AD at all. In fact you could stand up a completely isolated AD server, connect it to EPO, and add the users into it (like you do within EEM), then you can assign users from that isolated AD server to machines in EPO etc...

                       

                      The AD requirement just satisfies the need to have something with a list of the user names - that's all (and that's what's being added to EPO 5.1)