Loading...

Knowledge Center


How to create Endpoint Encryption for Files and Folders 4.x Policies
Technical Articles ID:  KB72719
Last Modified:  12/07/2012

Environment

McAfee Endpoint Encryption for Files and Folders (EEFF) 4.x

 

Summary

EEFF 4.x Policy creation workflow.

EEFF keys and policies are created, stored, and managed in McAfee ePolicy Orchestrator (ePO). In order to meet highly variable security requirements, ePO allows these policies to be assigned on a user basis or on a system basis.

ePO 4.6 Policy and Key Assignment Options:

System Tree (Assigned Policies)
System Based
Policy Assignment Rule
User Based
Policy Assignment Rule
System Based

ePO 4.5 Policy and Key Assignment Options:

System Tree (Assigned Policies)
System Based
Policy Assignment Rule
User Based

 
As referenced in the Best Practice Guide (PD23262), McAfee recommends that you simplify EEFF policy assignments. Typically, you do this by defining a baseline or default policy for your organization, and implementing it as a System Based policy. Then, for any exceptions to the policy, create a User Based Policy Assignment Rule (PAR). User Based PAR will always supersede System Based policies (both those assigned via the System Tree and those assigned by System Based Policy Assignment Rules), so this is the easiest way to implement complex policies.

To create an EEFF 4.x policy in ePO: 

  1. To create a key, click Menu, Data ProtectionEEFF Keys.

    NOTE: You must create keys before you can use them in policies or assign them to users or machines.
     
  2. To make the key available in at least one Grant Keys policy, click Menu, Policy Catalog, EEFF, Grant Keys.

    NOTE: You can only distribute keys to users or systems if they are in a Grant Keys policy. This makes the key available for use. However, users will not have access the key until this Grant Key policy is assigned to the user or system. This means key distribution only happens when the appropriate Grant Key policy reaches the user's system.
     
  3. To create a policy that uses the encryption key, click Menu, Policy, Policy Catalog, Endpoint Encryption for Files and Folders.

    For example, when you create a Folder Encryption policy, you must select a key after you specify which folder(s) should be encrypted. If you skipped step 1, then a key will not be available at this point.
     
  4. Assign policies to users or systems using either of the following methods:
    1. Click Menu , Systems, System Tree (view Assigned Policies tab).
    2. Click Menu, Policy, Policy Assignment Rules.

      NOTES:
      • You must assign the policies created in Steps 3 and 4 to users and/or systems to take effect.
      •  By default, all EEFF My Default policies are assigned via the System Tree so they are applied to all systems that have EEFF installed.
         
  5. Assign keys to users or systems using either of the following methods, which can be completed at the same time as Step 4:
    1. Click Menu, Systems, System Tree (view Assigned Policies tab).
    2. Click Menu, Policy, Policy Assignment Rules.

IMPORTANT: Although you have already assigned a policy, that policy references keys and those keys can only be deployed by using a Grant Keys policy. So all the keys used by your encryption policies must be in their own Grant Keys policy, and that policy must be sent to the appropriate users or systems.

Solution

Example Policy
Implement a removable media encryption policy on all systems, and allow the user to recover a forgotten password by using a recovery key:

  1. Create the recovery key:
    1. Click Menu, Data Protection, EEFF Keys.
    2. Create a key called EERM Recovery.
       
  2. Make the key available to all systems:
    1. Click Menu, Policy Catalog, EEFF, Grant Keys.
    2. Modify the My Default Grant Keys policy. This makes the key available to all systems because the My Default policies are applied to all systems by default.
    3. Move the EERM Recovery key from the left column to the right column, then click Save
       
  3.  Create a Removable Media policy that uses the EERM Recovery key:
    1. Click Menu, Policy, Policy Catalog, Endpoint Encryption for Files and Folders, Removable Media (My Default).
    2. Select Use McAfee Endpoint Encryption for Removable Media (EERM).
    3. Under Protect Area, select Entire device.
    4. Select Recovery key and, from the drop-down menu, select EERM Recovery key, then click OK.
    5. Under Options, as a best practice, select Exclude devices larger than and set the value to 32768.
    6. Under Options, as a best practice, select Make unprotected files and Folders and devices read-only (when used with EEFF).
       
  4. To assign this policy to all system, click Menu, Systems, System Tree (view Assigned Policies tab).
    NOTE: Because you have modified the My Default policies, they are already assigned to all systems via the System Tree. 
     
  5. To distribute the EERM Recovery key to all systems, click Menu, Systems, System Tree (view Assigned Policies tab).
    NOTE: Because you have modified the My Default policies, the key is already assigned to all systems via the System Tree.
The next time the a managed system with EEFF synchronizes with ePO, it will get the policies and keys. To test this, insert a USB stick and see if the EERM initialization process starts.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.