Maybe I am not fully understanding your scenario - but if your subgroup of administrators already only has access to specific system tree groups in EPO then they should only be able to access keys from those systems (Actions > McAfee Management of Native Encryption > McAfee Management of Native Encryption Recovery). If you have not restricted system tree access already it can be found in the EPO permission set configuration under 'System Tree access'. If this is not the case could you clarify which form of key access you are attempting to restrict?
Hi thanks for the reply,
i already, limited the access rights for the system tree groups in EPO but over the menue McAfee Management of Native Encryption i can still access the recovery information from the hole company after enter the right appleid / bitlocker recoveryid. In the administrative right section i can´t specify the access for this modul (only allow/deny), but if i remove the access right for the group they also can´t see the recovery information in the system tree group for the subgroup too.