6 Replies Latest reply on May 4, 2015 1:52 PM by mbouchard71

    Question on Automatic responses and EEPC

    mbouchard71

      I have recently taken over management of our ePO / EEPC (MDE or whatever it is being called today) and was hoping someone could direct me to the info I need.  I am working on setting up a response to report on any system that is no encrypted (in a decrypting or decrypted state) and am having trouble finding what to look for.  The previous admin went the route of looking for events on the server with the filter being systems out of compliance.  But that never worked (see below). 

       

      I started tying to base one off ePO notification events but the type is Client.  I was looking at Event Description but for EEPC it seems that Decryption started would be the only option to help determine if the system was decrypting. 

       

      If someone could point me in the right direction that would be greatly appreciated.

       

      Non-working

      Event group - ePO Notification Events

      Event type - Server

      Filter - Event Description - Computers are non-compliant and Affected Comp Name is not blank

        • 1. Re: Question on Automatic responses and EEPC
          pwalski

          What version of EPO and EEPC / DEPC are you running? There are some standard dashboards (called Drive Encryption) that provide you with the top level information you're looking for.

          • 2. Re: Question on Automatic responses and EEPC
            mbouchard71

            Sorry, meant to include that:

             

            EPO - 4.6.8

            EEPC - mix of 7.0.2/3 and 7.1.1

             

            I have the dashboard up but unless there can be an alert triggered from there it would not be enough.  Also, the plan would be to have the alert go to a group of people in case I am not available to check into the system to see why it is decrypting / decrypted.

             

            Thanks for the reply.  Mike

            • 3. Re: Question on Automatic responses and EEPC
              pwalski

              About  the best thing I could think of is utilizing Automatic Responses. Basically creating a new response that if the event ID for a decryption takes place (if there is such a thing) then email you or the list of people you're thinking of.

               

              This is contigent on if the decrypt process triggers a specific event ID code. I've tried searching, but can't seem to find one. I'll keep looking just in case though.

               

              Otherwise maybe just a semi regular server task that runs a report and sends a CSV to you. Basically looking for the Drive Encyption state is decrypting.

              • 4. Re: Question on Automatic responses and EEPC
                jmcleish

                There's an event ID: 30046: Deactivation Event (Info) which you could setup an automatic response  to notify you as suggested by pwalski. Obviously assumes the client has connection to ePO.

                 

                If you go into Menu-configuration- server settings-  (and edit)  Event Filtering, it shows you all the event IDs'. Encryption ones start from 30000. If you've got older versions, there maybe legacy ones there.

                 

                I've got a automatic notifications for 30015, 30016 setup.

                 

                Setup a notification and deactivate a test pc to see if it works.

                 

                HTH

                • 5. Re: Question on Automatic responses and EEPC
                  mbouchard71

                  Sorry for the slow reply, had been off for a bit.  I have just gotten back to this and setup the auto response and configured a system so it started decrypting. but unfortunately it isn't sending the email.  If I show client events (System Tree > Check system > Actions > on the system I am only seeing Event ID 30000 and 30004.  No 15/16 ID's.

                   

                  The Automatic response is configured as below:

                  Event: Event group: ePO Notification Events
                  Event type: Client
                  Status: Enabled
                  Aggregation: Trigger this response for every event.
                  Grouping: Do not group aggregated events.
                  Throttling: This response is not throttled.
                  Actions: 1: Send Email
                  • 6. Re: Question on Automatic responses and EEPC
                    mbouchard71

                    Hmm, maybe I was a little too quick.  It eventually sent me an email.  Now to see about getting the agent info included.

                     

                    Edit: Ok.  got it working now wondering if I can get one email with all systems rather than an individual email for each system.