5 Replies Latest reply on Mar 8, 2017 3:34 AM by chris00r

    Deleting Endpoint Encryption tokens via webapi call

    chris00r

      Hello everybody,

       

      we're using McAfee Entpoint Encryption with ePO 5.3.2. Our workstations are almost all encrypted with ee. While having problems at the beginning of the rollout of the preboot authentication, we deactivated the preboot stage on nearly all systems. In the meantime nearly all local passwords of the users of the preboot stage are out of sync, because the users had to change their AD-passwords through our policy.

      Now we would like to activate the preboot stage again. By simply activating it, the user is confronted with problems to go through the preboot stage, because the password in the preboot stage is out of sync, as I said. If we delete the token via the ePO Console manually, it is possible to go through the preboot stage for the user by setting the password and reconfigure his selftoken. This procedure is not handable in our company, because we have too much user. We would like to use the webapi, but I think there is no command for deleting the token for a user. I detected two commands, which come very close to what we want:

       

      eeadmin.resetSelfRecovery userDn - Drive Encryption reset users self-recovery token.

      eeadmin.changeUserPassword userDn newPassword [oldPassword] - Drive Encryption change user's password

       

      While using resetSelfRecovery Command, the user is only allowed to reset his selftoken. This is not what we want.

      While using changeUserPassword Command, I get no impact of using that command. For example, I set the password to "12345" (or similar). Nothing happens obvisously. Can somebody explain what that command realy does?

       

      So, is there someone, who can help us? We need to reactivate the preboot stage for a lot of users. The best way would be to have a command for the webapi, to reset the users token.

       

      I will be very glad for comments and help!

      Chris00r

        • 1. Re: Deleting Endpoint Encryption tokens via webapi call
          catdaddy

          Successfully moved from Business to Encryption: ePO Managed .> Discussions

          I moved it to ePO Encrypted as you mentioned such.

          • 2. Re: Deleting Endpoint Encryption tokens via webapi call
            jhall2

            The eeadmin.changeUserPassword command should reset the token if youdo not specify the old password.

             

            Drive Encryption 7.1 Scripting Guide (PD24869)

             

            "If you don't specify the old password, users are reinitialized, leading to the loss of token, logon, Single-Sign-On (SSO), Self-Recovery, and password history data. This requires the users to reinitialize their data at next logon."

             

            However, you can just reset the token for the entire lot via the DE: Users query. Although you cannot use the select all button, you can select the first entry, scroll to the last entry, press and hold Shift and select the last entry then select Actions | Drive Encryption | Reset Token.

            • 3. Re: Deleting Endpoint Encryption tokens via webapi call
              chris00r

              Hi there, thank you for your comments!

               

              As I mentioned, I already tried to use the command eaadmin.changeUserPasswort:

               

              eeadmin.changeUserPassword userDn newPassword [oldPassword] - Drive Encryption change user's password

               

              The old password is an optional parameter. It has to specified the userDN (thats exactly clear) and the NewPassword. Without specifying the NewPassword, the webrequest ends with failed-state. So if I specify a password, let it be "12345" for example, the webrequest ends with success-state. Everything seems to be good, BUT: There NO effect on the EE client system. In the log, I can not recognize a change. It has no effect, exactly NO effect. If the client reboots, the user is NOT prompted to renew his credentials, furthermore the user is not able to use the specified passwort "12345" by me. The user is able to use "his old password" (if it had existed or rather that, what the user specified in the past). So on the whole the command "changeUserPassword" does not help us solving the problem.

              • 4. Re: Deleting Endpoint Encryption tokens via webapi call
                jhall2

                I just tested and received a different behavior than you. I ran the following command from a browser and did not specify the old password:

                 

                https://unityepo.unity.local:8443/remote/eeadmin.changeUserPassword?userDn=CN=jh all2,OU=DomainAdmins,DC=UNITY,DC=LOCAL&newPassword=password

                 

                I received this message:

                 

                OK: Succeeded

                 

                After waiting about 5 minutes to allow the database to process the request, I performed a collect and send props on the client and waited for policy enforcement to complete. I then saw this in the MfeEpe.log:

                 

                2017-03-07 15:32:24,868 INFO   EpoState   == Start of policy enforcement ==

                2017-03-07 15:32:25,165 INFO   EpoPlugin   userHandler: requesting updates for user A472B39FDF4F154AA299DA98F66ECCF7: token data, self recovery data, logon data, sso data

                2017-03-07 15:32:51,666 INFO   StatusService   updating Drive Encryption users

                2017-03-07 15:32:51,760 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had logon data updated

                2017-03-07 15:32:51,822 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had token data updated

                2017-03-07 15:32:51,885 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had SSO data updated

                2017-03-07 15:32:51,947 INFO   UserLib   userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had UBP updated

                2017-03-07 15:32:52,572 INFO   EpoState   == End of policy enforcement ==

                 

                Upon the reboot, the users password was reset to the value entered into the command and not reset back to the default password.

                 

                This was tested with the MDE 7.2.0.457 extensions. I am researching this behavior further.

                • 5. Re: Deleting Endpoint Encryption tokens via webapi call
                  chris00r

                  Hi,

                  thank you for your help!

                   

                  I tested nearly the same command as you wrote. I also received OK: Succeeded, my MfeEpe.log has following entries:

                   

                  2017-03-08 08:02:29,978 INFO    EpoPlugin                            userHandler: processing user updates/requests

                  2017-03-08 08:02:30,337 INFO    EpoPlugin                            userHandler: requesting updates for user *ID*: token data, self recovery data, logon data, sso data

                  2017-03-08 08:02:30,337 INFO    EpoPlugin                            Sending user updates for *USER* (*ID*) to ePO

                  2017-03-08 08:02:30,353 INFO    EpoPlugin                            userHandler: dispatching ESUserList event to McAfee Agent

                  2017-03-08 08:02:30,353 INFO    EpoPlugin                            userHandler: Note, press Send Events button in McAfee Agent to hasten delivery (see KB71865).

                  2017-03-08 08:02:30,681 INFO    StatusService                        Ereignis zum Synchronisieren von aktualisierten Benutzerdaten wird erstellt.

                  2017-03-08 08:02:38,811 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_LOGON

                  ...

                  2017-03-08 09:20:42,537 INFO    EpoState                             == End of policy enforcement ==

                   

                  The Entries with "...has had ... updated are missing in my logs.

                   

                  I am using the same version number and extension like you.