1 Reply Latest reply on Sep 30, 2015 8:46 AM by SafeBoot

    How Do You Manage Encryption User Assignments?

    cdobol

      I am looking for ideas how to manage the users and user assignments for MDE.   Currently we are using $autoboot$ with a HD password.   We want to move to pre-boot authentication with either BitLocker or MDE and get rid of the HD password.  The only thing I like about Bitlocker is that you don't have to manage user keys - you can just use a pin (no user ID) which would be acceptable for us (password would be better).  For MDE we need user to machine assignments.  Ideally if we could just have a managed password for each machine that would be great (already passed that idea/suggestion to McAfee)  An idea I was thinking of... During MDE installation automate a MDE user to be created unique to the machine (maybe serial #?), assign user to machine... user uses the serial number for PBA.  Of course this isn't perfect because of other use cases... Like shared laptops, but it would work with a vast majority of our laptop use cases

       

      Just curious if anyone else is doing creative with the MDE user and machine assignments that you could share.

       

      Thanks!

        • 1. Re: How Do You Manage Encryption User Assignments?

          All the security best practices advise against device based/common passwords, and steer people towards personal authentication. Device passwords are invariably shared, sharing means you can't attribute actions to a person, and no-attribution means you can't identify people related problems.

           

          I agree it's a "cheap" solution, but it's very much sub optimal.