1 2 Previous Next 11 Replies Latest reply on Dec 30, 2016 3:12 AM by aaron1337

    DE 7.1.3 Adding users with UBP enabled does not work

    aaron1337

      Hey guys,

       

      we running Drive Encryption 7.1.3.604. It works so far when a 'regular' user is added to the system. Regular means, no UBP enforcement enabled.

       

      For administrative and support tasks, we need a user (let's say 'admin-user' on every system, which has a UBP enabled, that let the passwork never expire. The password of 'regular' users will expire after a specific period.

       

      SO I created an extra userbased policy, which has the specific setting for this scenario. More over I created a policy assignment rule, which assigns this policy to this only user, which has to be on every system. Last but not least I ran the report 'de users' to enable UBP enforcement to this user.

       

      But, I'm not able to assign this user (with UBP enforcement enable) to a system. I am able to do so, if I disable the UBP enforcement.

       

      I tried two ways for adding the 'admin-user':

      - encryption users -> select system -> add user -> sync

       

      - encryption users -> select group/OU -> group users -> add the the user -> sync

      (if I do this with a 'regular' user, it works flawlessly)

       

      If I look into the settings on the client (drive encryption status -> save computerimformation) only the 'regular' user is shown.

       

      My question is: what do I have to do, to add the 'admin-user' (with no password expiration) to any system of a specific group/OU?

       

      I appreciate any help. Thanks!

      Aaron

        • 1. Re: DE 7.1.3 Adding users with UBP enabled does not work
          jhall2

          After enabling UPB in DE: Users for the user and creating the policy assignment rule, the ePO Server Task "DE: Force update for UBP enforcement users" must be run. This task by default is set to run daily and should be changed to run hourly.

           

          More information can be found in KB84452

          • 2. Re: DE 7.1.3 Adding users with UBP enabled does not work
            aaron1337

            Thanks at first

             

            Just for better understanding: when do I have to run this server task? before assigning a user with UBP to a system or afterwards?

             

            I ran the server task now, but the user still doesn't appear in the 'client status file'. (sync was complete). The UBP-user is assigned directly to the system and not as a groupuser.

             

            Can you please tell me the correct order for the steps I have to do to add an user (with UBP) to a system, which already has a regular user.

             

            Thanks you!

            • 3. Re: DE 7.1.3 Adding users with UBP enabled does not work
              jhall2

              1. Configure Policy Assignment Rule for user (This can be done before or after assigning the user)

              2. Assign the user

              3. Edit and enable the UBP option for the user in DE: Users

              4. Run "DE: Force update for UBP enforcement users" task

              • 4. Re: DE 7.1.3 Adding users with UBP enabled does not work
                jhall2

                Aaron,

                 

                Can you get the MfeEpe.log from the client system?

                 

                     C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log

                 

                This should give us a little more insight as to what is occurring on the client system.

                • 5. Re: DE 7.1.3 Adding users with UBP enabled does not work
                  aaron1337

                  I did it in this mentioned order, but still no success :-/

                   

                  Attached to this post you will find the requested file. Because have an German operating system, some entries are German ;-)

                   

                  Additionally, I also attached a screenshot of the policy assignment rule. Maybe there is a mistake?

                  • 6. Re: DE 7.1.3 Adding users with UBP enabled does not work
                    jhall2

                    The log shows that the UBP isn't available for the user:

                     

                    2016-12-21 08:19:41,122 WARNING EpoPlugin                       userHandler: OptIn user (i.e. non-default UBP user) [1\6776dc310b394051825e3f14417c5f08] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored.

                     

                    I noticed this is a User Directory user so I tested in my environment and was successful in adding a user with the UBP option enabled.

                     

                    2016-12-21 18:03:10,409 INFOEpoPlugin                       enforceUserPolicy: User (1\3f9f303bba3c48d08399bf14da777833) added to policy store.
                    2016-12-21 18:03:10,424 INFOEpoState                       == Start of policy enforcement ==
                    2016-12-21 18:03:10,424 INFOStatusService                   Policy enforcement has started
                    2016-12-21 18:03:21,690 INFOUserLib                         userLib: user testubp (3F9F303BBA3C48D08399BF14DA777833) successfully added

                     

                    I also verified I could make it fail by either not having a PAR or running the "DE: Force update for UBP enforcement users" task:

                     

                    2016-12-21 18:02:32,206 WARNING EpoPlugin                       userHandler: OptIn user (i.e. non-default UBP user) [1\3f9f303bba3c48d08399bf14da777833] has incomplete UBP (missing UBP/Ident) which will cause this user to be ignored.

                     

                    Either the Policy Assignment Rule isn't working correctly or the UPB enforcement task is failing. Can you look at the Server Task Log for the  "DE: Force update for UBP enforcement users" and verify the task successfully completed and view the "Log Messages" to see if there was any explicit failures?

                    • 7. Re: DE 7.1.3 Adding users with UBP enabled does not work
                      aaron1337

                      Well, that's strange...

                       

                      Oh yes, I forgot to mention, that we only use local users with the "User Directory", so no LDAP.

                       

                      I checked the "Server Task Log" and every entry for the task "DE: Force update for UBP enforcement users" shows, that it was successfully completed and the same do the log messages:

                      12/22/16 4:00:07 PM  Started: Check and update machines for configured UBP enforcement users.

                      12/22/16 4:00:07 PM  Completed: Check and update machines for configured UBP enforcement users. (DE: Force update for UBP enforcement users)

                       

                      Here are more details about our settings:

                      Users are created in the user directory (local, no LDAP). There are only a few settings to make:

                      - cn (identical to logon name)

                      - logon name (identical to cn)

                      - attribute account control is no checked, but at some accounts yes and some, but I guess, that it makes no difference, right?

                      - display name (first and last name of the person)

                       

                      After creating, the accounts were enabled (actions -> enable user).

                      The regular user is assigned to the system in this way:

                      encryption users > select system -> actions -> drive encryption -> add user -> select user in the first field (users)

                      perform an agent wakeup (for sync):

                      system tree -> select system -> wake up agents -> no settings changed (not superagent wake-up call, randomization 0, options is checked, force policy update (tried with checked and not checked), retry interval 30s, abort after 5min)

                       

                      On the client the agent monitor shows different things (as normally) and drive encryption status shows that the policy enforcement is in progress and after a second it's done.

                      If I add another regular user, the drive encryption status shows, that there are things to create for the new user (similar, I dont remember the true words) and after some minutes (or another sync) it's fine and the second user can logon to the system in drive encryption.

                       

                      But if the the user has ubp the policy enforcement is just done, but shows the error in the mfeepe.log (tried it just a few minutes ago and same behaviour)

                       

                      The 'admin' user (with ubp) was created and assigned the same way (directly to the system and not as a group user). Enabling the UBP enforcement for the 'admin' user was successfull.

                       

                      I also removed all system assignents for the 'admin' user, but still no luck.

                       

                      Do you have any other ideas, what could be the issue? What could make the UBP incomplete? Do you need more details for something?

                       

                      Note: the 'admin' user has such symbols '-' in it's cn and logon name. Like 'it-admin'. Could this maybe a problem?

                      • 8. Re: DE 7.1.3 Adding users with UBP enabled does not work
                        jhall2

                        I suspect the issue is likely the policy for the user isn't making it to the client machine. At this point I think we need to review the logs on the ePO server, any Agent Handlers, and the client system. Seems like something unusual is going on with the policy assignment and it could be in failing in several different places.

                         

                        Please open a case with Drive Encryption Technical Support. If it isn't resolved when I get back in the office on Tuesday after Christmas, give me the last 4 of the case number and I will take a peek.

                        • 9. Re: DE 7.1.3 Adding users with UBP enabled does not work
                          aaron1337

                          Sorry for the late reply, but I was busy with other things and stuff ...

                           

                          I have opened a case with Drive Encryption Technical Support and they gave me some tips you already gave me, but also this:

                           

                          Menu -> Configuration -> Server Settings -> User Policies -> Database Mirroring has to be enabled (it wasn't before)

                           

                          He told me it has something to do with performance improvement and so on (he looked it up in an old case from 2015). At first I didn't believe it, because I couldn't imaging, why this setting should has an influence to my issue, but it was definitely resposible, because after enabling this (and running the mentioned server task again) it worked flawlessly.

                           

                          Now everything works as desired

                           

                          So thank you very much for your help !!

                          1 2 Previous Next