ePolicy Orchestrator (ePO) supports the use of a single package installer to help the deployment of McAfee Agent. This package is separate from the standard ePO deployment mechanisms. It is intended to facilitate agent installation using logon scripts or other automated processes.
Because the McAfee Agent installer requires a higher privilege level than most logged on users, the installer binary must have a way to elevate its privilege level. To work around this limitation, you can embed credentials in the binary installer package. The embedded credentials allow the binary to successfully install the software.
IMPORTANT: Because an installer package created for this purpose has embedded credentials, access to it must be severely restricted. Use installer packages with embedded credentials only in specific situations where another deployment method is not available.
If you must use an installer package with embedded credentials, implement the following security precautions:
- Use a non-administrator account
Create an account with access only to the local administrators group on the intended clients. McAfee recommends that you use a different account from what you normally use for operations.
- Change your passwords often
When you change your password, it invalidates lingering binaries with embedded credentials.
McAfee recommends that you change this password, and create a new distribution binary. You must undertake this action at least weekly.
- Disable the account when not in use
If you deploy to multiple systems in batches, consider disabling the account when there are no deployments being performed. Disabling the account, prevents the credentials from being used.
- Further limit the access of the account
The installer account requires only local administrator rights to the client systems. It must not have rights to access key servers such as:
- Active Directory master
- File servers
- Print servers
- Consider not using this method on key assets
When possible, do not use a package with embedded credentials on key server assets. An administrator can install the package directly onto the system.
- Enable security audit logs
Enable and monitor the use of this account. If the account is used correctly, it shows only a single logon, to the intended clients at the time of deployment. Immediately investigate any other access attempts by this account.
