Installing the McAfee agent and enabling encryption
- George Moore (Deactivated)
- Tom Ling
- Jeremy.Alston_Follansbee
- Alex Lu
Overview
The McAfee agent can be found at \\titan\software$\FSP\Disk Encryption\McAfee_Agent_SSVMEPOPROD.exe or in LANDesk under the Tufts->McAfee Drive Encryption folder. Installing the McAfee agent will automatically start the process of activating drive encryption and upgrading the computer from EEPC if it is currently encrypted.
The following is a list of products that are not compatible with Drive Encryption. They must be removed prior to installing the McAfee agent.
- BitLocker Drive Encryption (Microsoft)
- Guardian Edge
- Hewlett Packard Protect Tools (Drive Encryption) software
- HP OEM Client
- PGP Whole Disk Encryption
- PointSec6
- SafeBoot
- SafeGuard Easy (Sophos)
- SafeGuardEasy550
- SafeNet ProtectDrive
- Symantec Endpoint Encryption
- TrueCrypt (Free Open-Source On-The-Fly Disk Encryption Software)
- Wave Trusted Drive Manager
- WinMagic SecureDoc
Â
Encryption Process
- Once the McAfee agent is installed, the McAfee agent will automatically download and install the Drive Encryption application and the user may be prompted to reboot.
- MDE (McAfee Drive Encryption) will then run some compatibility checks including looking for incompatible products (bitlocker or other encryption products), hard drive SMART status, and connection to the McAfee server.
- If all the checks pass, MDE will start the process of encrypting the hard drive. It may take up to 20 minutes before the encryption process starts (clicking the "Collect and Send Props" button speeds this process up). You can check the status of the encryption by clicking on the McAfee icon in the system tray and selecting Quick Settings->Show Drive Encryption Status. The steps are listed below and are listed in the Show Drive Encryption Status window below the Volume Status.
- Creating Event to request data for local domain users (~5 min). You can speed this up by clicking the "Send Events" button in the McAfee Status Monitor.
- Creating Event to request data for assigned users (~5 min). You can speed this up by clicking the "Send Events" button in the McAfee Status Monitor.
- Detecting incompatible products
- Creating preboot file system (pbfs)
- Sent recovery key to Key Server
- Committing activation
- Updating Drive Encryption Users
- Policy Enforcement is complete
- Once the encryption has started, preboot authentication (the McAfee login screen) is enabled.
Technical Overview from McAfee
The below information is taken from the Drive Encryption activation sequence section of the MDE 7.1 Best Practices Guide
Drive Encryption activation sequence
When the DEAgent and Drive Encryption packages are successfully deployed, the user is prompted to restart the system. The restart is essential for activation of Drive Encryption on the client to proceed. The restart can be
canceled, however, Drive Encryption will not become active on the client until the restart has occurred. In addition, hibernation and the use of new USB devices will be impaired until a restart is issued.
Drive Encryption Status
System restarts as initiated. You don't yet see the PBA page as the Drive Encryption software is not yet active on the client. However, you should now be able to see the new option:
- Quick Settings|Show Drive Encryption Status in McAfee Agent System Tray on the client system (DE:Windows)
DEAgent synchronization with the McAfee ePO server
The status in the Show Drive Encryption Status window is Inactive until DEAgent synchronizes with the McAfee ePO server and gets all the users assigned to it. This is referred to as an ASCI event. It can be manually triggered on the client by opening the McAfee Agent Status Monitor, then clicking Collect and Send Props. It can also be triggered from the McAfee ePO server by an agent wake-up call, otherwise, you need to wait for the scheduled agent-server communication interval to occur (the default is 60 minutes). After two agent-server communication intervals, Drive Encryption activation begins. The activation process requires a number of McAfee ePO events to be sent, and this can take some minutes to occur. Once the client-server communication has completed, the Drive Encryption Status switches to Active and encryption starts based on the policy defined.
When Drive Encryption activation is complete, it should be restarted once before hibernation takes place. For this reason, we recommend that hibernation be disabled from the Control Panel on Window clients.
User intervention during encryption
The user can continue to work on the client system as normal even during encryption. Once the entire disk is encrypted, the technology is completely transparent to the end user. It is safe and risk-free to restart the client system during encryption.
PBA (Pre-boot Authentication)
When the client system is restarted and Drive Encryption is first activated, the user should log on with the username that matches the user attribute set in the LdapSync: Sync across users from LDAP
task and the default password of 12345 (this is the McAfee default password which can be changed in the User Based Policy) in the PBA page. The user is then prompted to change this password and enroll for self-recovery based on the policy set.
Single Sign On (SSO)
The Drive Encryption client system then boots to Windows. This first boot establishes SSO (if it has been enabled). On future restarts, the user needs to log in to PBA only. Once authenticated, SSO
automatically logs on to Windows. In short, the SSO option facilitates the user with the single authentication to the Operating System even when PBA is enabled. Though it requires an extra step, disabling SSO is the more secure
configuration. When the Synchronize Drive Encryption password with Windows option is enabled, the Drive Encryption password is reset to the Windows password
Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.