Further to our question, what we realized in our testing is the new password is getting pushed to the end user device via system.wakeupagent call however there is timelag before it is accepted at pre-boot time. We have seen if "Enforce Policy Interval" is around 10 mins, the password changes get effective around 7-8 mins. If the same is 15 mins then password change gets applied after 10 mins or so and if it 30 mins then it gets applied after 20 mins or so.
What we don't know is how this time is function of what? Is there a way to reduce this time. If yes then what. If not then can we deterministic-ally say that this time is function of Enforce Policy Interval.
Thanks for the help
When MDE receives a new policy, the policy contains a list of the users and timestamps for the user attributes. MDE will process this and check it against the PBFS. If a newer timestamp exists on the ePO server, an event will be generated to request the newer attributes and placed in the McAfee Agent event directory. By default MA will send events every 5 minutes. After the event is uploaded to ePO, ePO will process the event and generate a response package with the requested attributes and send a special agent wakeup call to the client machine. Upon receiving the special agent wakeup call, McAfee Agent will communicate to ePO and pull down the response package, hand it to MDE, at which point the PBFS will be updated with the newer attributes.
This process may take several minutes to accomplish.
Thanks for the information. so this list of attributes include password as well ? Also this 5 mins is the polciy enforcement interval so if this value is more the application of paasword will take more time ? Is there any quantification of how time this whole process will take ?
The password is nothing more than an attribute of the user.
The policy enforcement and event upload times are set separately in the McAfee Agent General Policy.
The policy enforcement time for Drive Encryption differs depending on several factors. If ALDU is enabled, upon the first policy enforcement after a restart, it will take an additional 5 minutes. If ePO or any remote agent handlers cannot directly connect to the client machine to issue the special agent wakeup call, McAfee Agent will pull down the response package upon the next ASCI. If ePO is under load, it may take a few additional minutes to create the response package.
In all, generally it takes about 7 minutes for a typical policy enforcement and about 12 minutes for the first policy enforcement after a reboot (When ALDU is enabled).