3 Replies Latest reply on Jul 10, 2014 9:55 AM by dmease729

    EEFF - Unexpected results with 'Removable Media' category settings

    dmease729

      Hi,

       

      Environment: EEFFv4.2 running on ePO 4.6.6.  EEFF itself running on Win7 Pro SP1 32-bit.

       

      I am new to EEFF, and currently have version 4.2 deployed on a lab Win7 VM host running in VMWare Workstation.  With respect to the 'Removable Media (UBP)' category I have tested the following protection levels via Policy Assignment Rules:

       

      Allow Encryption (with offsite access): When policy is assigned, I copied an exe from USB to local disk, and vice versa successfully

       

      Enforce Encryption (with offsite access): When policy is assigned, user was forced to encrypt with a password (if user didnt, device was then Read Only).  Files could then be copied from USB to local disk and vice versa.  When USB inserted into another host, password had to be entered before files were accessible.

       

      Enforce Encryption (on site access only): Encryption key set to 'Key1' and 'ignore existing content' selected.  I also ensured that the 'Grant Keys (UBP)' policy assigned included this Key.  It was a regular key created in EEFF Keys. This was slightly problematic - nothing seemed to happen when USB was connected.  I could then copy files from USB, but when trying to copy a file to the USB, I received the error below.

       

      80070052.JPG

       

      Questions:

      - EEFF v4.2 Product Guide p18 advises that when 'allow encryption (with offsite access)' is selected, no further unencrypted data can be written to the device.  This differs to what I have noted, as I could still write unencrypted files to the USB device.  Are my results expected?

      - Same Product Guide page advises that when 'enforce encryption (onsite access only)' is selected, EEFF encrypts the files and folders with the selected key while copying to the USB device.  As I have selected a key, and that key has been granted to the user, I am not sure if there are any further steps I need to take or if this is another issue - thoughts?

      - In EEFF console, when I am testing 'enforce encryption (onsite access only)', the status report shows the following:

          - Available Keys: <none>

          - Removable Media Policies: Allow unprotected access

        This remains the same even when assigning 'enforce encryption (with offsite access)' - I know the correct policy is assigned as I get prompted to encrypt (and if I dont, the device is read only).

        Does the EEFF console only reflect the policy that is assigned to the system itself in ePO?  If so, this potentially makes troubleshooting a little irksome!

       

      As said, I am new to this, so there may be steps I am missing.  I cant seem to find anything more to help me in either the Product Guide or the ePO help files.  I have just seen DOC-4473 (EEFF 4.2 POC Guide) so will have a wee gander through that also!

       

      Cheers!

        • 1. Re: EEFF - Unexpected results with 'Removable Media' category settings
          Naveen Chakrapani

          From what you are seeing on the console, the right policy/encryption key is not available on the client; hence you might seeing the issue

          • 2. Re: EEFF - Unexpected results with 'Removable Media' category settings
            dmease729

            Cheers Naveen,

             

            It would appear to be the case.  I have been running further tests today, and the user-based PAR does not appear to be working:

             

            New EEFF key created: PoC

            Removable Media policy (PoC): Enforce encryption (onsite access only), key = PoC

            Grant Keys policy (PoC): Includes PoC key only

             

            Test 1 Both policies assigned at system tree level (no PARs at this stage)

                 - endpoint EEFF console shows correct removable media policy and the PoC key

                 - Writing to USB device automatically encrypts test file (using local agent log).  Padlock icon is shown, and when attempting to read on another system (that does not have McAfee products installed), file is garbled, with a warning message at the top beginning "Type: This file is encrypted with McAfee Endpoint Encryption for Files and Folders"

                 - I note that I can still see the filenames on the 'external' system

             

            Test 2 Removed the grant keys PoC policy at system level (replaced with 'My Default', containing no keys).  Updated policies.

                 - endpoint EEFF console shows correct removable media policy, and no keys

                 - writing to USB device simply writes an unencrypted file.  No padlock and can read file fine on another system (that does not have McAfee products installed)

             

            Test 3 Assigned the grant Keys PoC policy as a user-based PAR (AD security group 'group1' containing 'user1') and logged in as user 1.  Updated policies.

                 - endpoint EEFF console shows correct removable media policy, but still no keys are shown

                 - writing to USB device simply writes an unencrypted file.  No padlock and can read file fine on another system (that does not have McAfee products installed)

             

            A number of points of concern in the above, however most concerning at present is Test 3, as the PAR doesnt appear to be working (although the agent log shows that it has downloaded policies for user 1 and is also enforcing them).  I have reconfirmed ADUC policy, and the PAR configuration (and also recorded my steps, although I cannot seem to post a PDF to the forum).  I am assuming that this is not what is meant to be happening.  My concern grows due to my previous experience (initial post) where what was happening on the host pointed to the correct removable media policy being assigned, but that policy was not reflected in the EEFF console (ie the console only appeared to show the system-tree assigned policy, and not the PAR-assigned policy).

             

            If the above thoughts could be confirmed, I can carry out further tests?  I can also send the document to you if you DM me your email address (and if you have 5 minutes :-))

             

            Cheers,

            • 3. Re: EEFF - Unexpected results with 'Removable Media' category settings
              dmease729

              Update: As I expected, but from KB72775 (4/30/2014), in ePO4.6 user-based PARs aggregate with System Tree based policies.  I think the table is slightly misleading, however - I dont think you will ever end up with the bottom right result (ie 'UR' only) as there will always be an ST-assigned policy.