Knowledge Center

How to use a Stored Value token in Drive Encryption
Technical Articles ID:   KB71556
Last Modified:  5/24/2018


McAfee Drive Encryption (DE) 7.X

For details of DE supported environments, see KB79422.


What is a stored value token?
A stored value token is a token for which DE stores some token data on the token itself. You have to initialize these tokens with DE before you can use them for authentication. The token contains the token data that is required to authenticate the user.
When is the stored value token initialized and what initializes it?
The stored value token is initialized the first time the user logs on to the preboot environment. DE, primarily the preboot environment, is responsible for initializing the token for use with DE. The initialization process does not require access to Active Directory. Technically, the first time the user accesses DE using the token, it is initialized. Which can be either in preboot or in Windows. Most users initialize the token in the preboot environment the first time they authenticate.


To make a Stored Value Token work
The following shows how to add a single user to a system and associate a stored value token with that user. The same logic can be applied to groups or multiple users. For demonstration purposes, this document explains how to use a stored value token with a single user.
The following prerequisites are assumed in the following steps:
  • The user is already created in AD.
  • DE is installed on at least the minimum supported ePolicy Orchestrator (ePO) versions.
  • The Lightweight Directory Access Protocol (LDAP) Synchronization task is scheduled and run normally between ePO and AD.
  1. Log on to McAfee ePO as an administrator.
  2. Assign a user to a system.

    Select a user and give them access to log on to the system in the preboot environment. Which can be achieved by one of two methods:

    Method 1 - Assigning the user as a group user to all systems:
    1. Click Menu, Data Protection, Encryption Users. Opens the Encryption Users page.
    2. Click Group Users tab. Opens the list of Group Users.
    3. Click Actions, Drive Encryption, Add User(s).
    4. Select the user to add to the user group and click OK.
Method 2 - Assigning the user directly to a system:
  1. Click MenuData Protection, Encryption Users to open up the Encryption Users page.
  2. From the System Tree on the left, click the system you want to administer.
  3. Click Actions, Drive Encryption, Add User(s) to select a user to add to the list of users authorized to access this specific system.
  4. Select the user you want to add and click OK.
NOTE: For more information, see the DE product documentation.
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
  1. Create a User Based Policy for the token.

    To assign a specific token to a user, you need to create a user-based policy associated with that token type:
    1. Click Menu, Policy, Policy Catalog to open up the Policy Catalog page.
    2. In the Policy Catalog section select:
      • Product Catalog = Drive Encryption
      • Category = User Based Policies (UBP)
    3. Click Actions, New Policy to create a User Based Policy.
    4. Set the Policy Name and click OK.
    5. In the Authentication Tab, select the correct value for Token Type.
    6. Make any other required changes to the User Based Policy.
    7. When done click Save.
  2. Enable User Based Policy Enforcement for the user.

    Now that the user is assigned to access a system, and a user-based policy exists for the particular token, ensure that user-based policies are enforced for that user.
    1. Click Menu, Reporting, Queries & Reports to bring up the list of queries in ePO.
    2. Find the EE: Users query and click Run. You are shown a list of DE users.
    3. Select the user (obtained from the above section Assign a user to a system), and click Actions, Drive Encryption, Configure UBP Enforcement.
    4. Click Enable then click OK.
    5. When finished, click Close.
  3. Associate the User Based Policy with the User.

    Now that the user is assigned to access a system, a user-based policy exists for the particular token, and the user now has user-based policies enforced. You have to associate the user with the token:
    1. Click Menu, Policy, Policy Assignment Rules to bring up the policy assignment rules page.
    2. Click ActionsNew Assignment Rule to create an assignment rule.
    3. Type an appropriate value for the Name of the rule and click Next.
    4. (Optional) Correctly define the selection criteria including/excluding systems to specify the correct branch in the ePO System Tree where this policy assignment rule applies.
    5. Click User from the Available Properties section on the left side. You see a line for the User on the right side.
    6. Select the user (obtained from the previous section Assign a user to a system), and click OK.
    7. Click Next.
    8. Click Add and select the User Based Policy (obtained from the previous section Create a User Based Policy for the token).
      • Product = Drive Encryption
      • Category = User Based Policies
      • Policy = Policy (obtained from the previous section Create a User Based Policy for the token)
    9. Click OK and click Next.
    10. Ensure that the details are correct and click Save.
  4. Force a synchronization with the client.

    Now that everything is properly configured, you must update the client with the user who can authenticate with preboot, the recently created policies associated with that user, and their token data.

    You can then force a synchronization from ePO using an Agent wake-up call, force it from the client using the McAfee Agent user interface, or wait for the next ASCI and Policy Enforcement interval.

    During the synchronization, the log shows an entry for Enforcing User (<name>) Policies for EE_Admin1000 where <name> = the user from (obtained from the previous section Create a User Based Policy for the token). 
  5. Restart the system and authenticate.

    After you have restarted your system, you see the DE preboot. At this stage, the user is prompted to authenticate. Ensure that the token is inserted either before booting the system, or before trying to authenticate.
    1. Type the user name (obtained from the previous section Create a User Based Policy for the token), and click Next. The user is prompted for the PIN for the stored value token.
    2. The token is initialized and will then boot into Windows.
The token is now ready to use and is successfully assigned to the user.

The following can apply to the steps associated with using DE and a Stored Value token:
On some tokens, the middleware must be present on the client for authentication in Windows to continue. Authentication in preboot does not require middleware.

To make Single Sign On work
If you have selected SSO to be enforced in your policy, the initial boot does not capture the SSO credentials for this user. For the first boot sequence, the user has to authenticate twice, which allows DE to capture the relevant information. On subsequent boots, the user only has to authenticate in preboot.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.