Loading...

Knowledge Center


FAQs for Management of Native Encryption
Technical Articles ID:   KB79614
Last Modified:  3/14/2018
Rated:


Environment

McAfee Management of Native Encryption (MNE) 4.1, 4.0, 3.0

Summary

This article provides a consolidated list of common questions and answers and is intended for users who are new to the product, but can be of use to all users.

Recent updates to this article
Date Update
March 14, 2018 Implemented expand and collapse design.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Click to expand the section you want to view:

What is the primary purpose of MNE?
MNE 1.0 was the first version of a new encryption product that gives you the ability to report and manage the Mac OS X FileVault feature directly from ePolicy Orchestrator (ePO). MNE 2.0 and later introduced the ability to also report and manage Windows BitLocker.


What is new in MNE?
  • MNE 4.1 - This release includes several fixes and new features.
    New features are documented in the Release Notes (PD26393).
    MNE 4.x Known Issues are documented in (KB86057).

    NOTE: MNE 4.1 adds new features to the BitLocker client only. The Mac client was not updated in this release, so the MNE 4.1.0 release package includes the Mac OS X 4.0.0 software packages.
  • MNE 4.0 - This release includes several fixes and new features.
    New features are documented in the Release Notes (PD26228).
    MNE 4.x Known/Resolved issues are documented in the known issues article (KB86057).
  • MNE 3.0 - This release includes several fixes and new features.
    The new features are documented in the Release Notes (PD25839).
    MNE 3.x Known/Resolved issues are documented in the known issues article (KB84167).

    NOTE: MNE 3.0 added new features to the BitLocker client only, to achieve even greater parity between BitLocker and FileVault solutions. The Mac client was not updated in this release, so the MNE 3.0.0 release package includes the Mac OS X 2.1.0 software packages.

How can I obtain MNE?
MNE is included in the following four suites:
  • McAfee Complete Data Protection (CDB)
  • McAfee Complete Data Protection - Advanced (CDA)
  • McAfee Complete Data Protection - Essential (CDE)
  • McAfee Complete Endpoint Protection - Business (CEB)
NOTE: There is no additional charge to customers for this capability.


Why add management of Windows BitLocker with MNE when we already have Drive Encryption (DE) or Endpoint Protection for PC (EEPC)?
MNE for BitLocker is a secondary option for our existing DE customers and new prospects. One of the goals is to provide customers an option if they want only basic encryption, especially for customers who are already using BitLocker on all or a group of endpoints. One application of MNE for a Windows system is to enable management through ePO of small clusters of systems that customers cannot currently manage with DE today, such as Windows to Go devices or Surface Pro tablets.

For bring your own device (BYOD) type assets, there is also a “Report Only” mode. This mode is similar to what was offered in MNE 1.0 for FileVault management, where ePO can report that encryption is enabled for that endpoint, but does not manage the endpoint.


Will DE and MNE both continue to be developed in the future?
Yes. DE is a Gartner-MQ winning enterprise solution and offers many more customer-centric features than Microsoft BitLocker including, but not limited to: user-based preboot, smart card and biometric authentication, self-recovery, complex user-based policies, Endpoint Assistant, and support for Intel® AMT and ePO Deep Command. MNE is designed to provide a simple and easier-to-manage encryption solution that manages the built-in OS encryption of Apple OS X and Microsoft Windows.


What is FileVault?
FileVault is the native OS encryption product from Apple. It encrypts the entire OS X startup volume, typically including the home directory, but not non-OS volumes. It supports a user-based preboot.


What is BitLocker?
BitLocker is the native OS encryption product from Microsoft. It is available on certain editions of the OS. It can encrypt the entire OS volume and any other volumes on the system. It does not support a user-based preboot, meaning that all users that share a system need to know the same password. Support for management of Windows BitLocker was added in MNE 2.0.
Compatibility - Mac (FileVault) specific
What versions of OS X does MNE Support?
MNE 4.1 provides full support of Mac OS X 10.10.x (Yosemite) and Mac OS X 10.11.x (El Capitan).

NOTE: For the latest information about supported operating systems, and OS X versions supported by earlier versions of MNE, see KB79614.

Compatibility - Windows (BitLocker) specific
Does MNE support Windows 10?
Yes. For a list of supported operating systems, see KB79614.


Is Windows 10 Enterprise Long-Term Servicing Branch (LTSB) supported with MNE?
No. MNE currently only offers support for official Windows 10 builds, which include Current Branch (CB) and Current Branch for Business (CBB).

NOTE: LTSB is Microsoft terminology for a Sustaining build that does not receive feature updates and is limited to security patches in general.


Does MNE support XP or Vista?
No. BitLocker support was added with the introduction of MNE on Windows 7 and later.


Does MNE support Windows to Go?
Yes. For details, see KB82249.
NOTE: For the latest information about supported operating systems, see KB79614.


Which versions of ePO can be used with MNE?
See the MNE supported environments article for details: KB79614.

NOTE: MNE 4.x only supports ePO 5.x; support for ePO 4.6 (which is End of Life) was dropped in MNE 4.0 and later.


Can I simply move from Microsoft BitLocker Administration and Monitoring (MBAM) client to MNE?
Yes. You need to push the MNE client software to the endpoints and enable MNE reporting policy in the first instance. After you see your systems reporting BitLocker status, you can then start removing MBAM from the endpoint and enabling the MNE management policy. For example, set the BitLocker product policy to Turn-on (enable) BitLocker with appropriate options. If you fail to remove MBAM from the endpoint, there will be conflict between the two management solutions as they compete to manage BitLocker.


Can MNE manage Trusted Platform Module (TPM)?
No. MNE does not manage TPM. On Windows 7 systems, you need to manage TPM yourself. On Windows 8 and above, the operating system can manage TPM for you if you have not already managed it.


Does MNE support Opal drives on supported operating systems?
Yes. Support for Opal drives is included with MNE 4.1 and later.
Install or Upgrade - General
Is there an installation prerequisites check list?
Yes. Before installing MNE, or subsequently enabling BitLocker on a Windows client or FileVault on a Mac OS X client, ensure that the relevant pre-requisites are satisfied, as documented in KB86810.

How do I deploy Network Unlock (MNE 4.0 and later)?
When you deploy MNE 4.0, ensure that you have installed the MNE Advanced Features extension (mneadvancedfeatures.zip) to McAfee ePO. Installing this extension unlocks the network unlock feature.

Installation/Upgrade - Mac (FileVault) specific
What is the quickest way to go to compliant mode with MNE 4.0 Mac OS X?
MNE 4.0 and later provides a stand-alone installer for Mac OS X system, which installs McAfee Agent and MNE (FileVault) product. For more information about installing MNE, see the Management of Native Encryption Product Guide:
How can we provision McAfee Agent (MA) running in unmanaged mode to the ePO server after installing MA using MNE stand-alone installation package?
With McAfee Agent 4.8 Patch 2, it is now possible to provision MA running in unmanaged mode to connect to the ePO server for remote management. The ePO Remote Provisioning tool bundled with MNE 2.x and later provides a simple interface for remote provisioning with the ePO server when installed on a Mac OS X. The ePO Remote Provisioning tool requires the ePO address, username, and password of the user to be available in the ePO server to configure the McAfee Agent running in unmanaged mode to connect with the ePO server. The user can be limited to an executive reviewer role with limited role permissions on the ePO server. The following table describes two solutions with procedural explanations:
 
Solution Procedure
Provision the MA running in unmanaged mode to connect to the ePO server for remote management by creating a user on the ePO server with restricted permissions.
  1. Log on to the ePO server console on a supported browser.
  2. Click Menu, User Management, Users.
  3. To add an ePO user, under Users click New User.
  4. Enter the user name.
  5. Set the logon status as Enabled.
  6. Select the authentication type as ePO authentication.
  7. Set the password for the user.
  8. Add other details such as Full Name, Email Address, Phone Number, and so on. These are optional fields.
  9. Select the permission set as Executive Reviewer under Manually assigned permission sets.
    The default permission set Executive Reviewer has permissions to view dashboards, events, contacts, and can view information that
    relates to the entire System Tree.
Provision the McAfee Agent on an OS X client system using an ePO user.
  1. Launch the ePO Remote Provisioning Tool obtained from the MNE extracted package found under /Applications/Utilities/.
  2. Enter the ePO address, username, and password.
  3. Click Configure.
  4. Enter the OS X admin password when prompted.


What is the best practice recommended in deploying MNE and Endpoint Security for Mac (ESM), formerly Endpoint Protection for Mac (EPM), together?
Generally, either MNE or ESM/EPM can be deployed on Mac OS X systems in any order. We recommend deploying ESM/EPM followed by MNE, when being deployed on large-scale enterprises.

Installation/Upgrade - Windows (BitLocker) specific
Is it possible to migrate from Drive Encryption (DE) to MNE?
Yes. Follow the steps in KB82544 for details about how to migrate to MNE.


Is it possible to migrate from Endpoint Encryption for Mac (EEMac) to MNE?
Yes. Follow the upgrade steps below:
  1. Deploy MNE to the client system with the appropriate policy settings for your company environment.

    NOTES:
    • The system can have both EEMac and MNE installed at the same time.
    • MNE will not enable FileVault on a client system if EEMac is installed and active.
    • Mac OS X: The system must be running Lion or Mountain Lion. EEMac does not support Mavericks.
  2. Deactivate and uninstall EEMac.
  3. Monitor the progress of the removal of EEMac in the ePO dashboard to confirm that it is uninstalled.

    NOTE: After EEMac is uninstalled, MNE will automatically enable FileVault at the next policy enforcement.
Configuration - General
How do I define access rules for Network Unlock?
Access rules can be defined on the Server Settings page via ePO. For more information on server settings and policies setting network unlock policies, please refer to the Product policies section of the MNE 4.0 Product Guide (PD26229).
The data volumes on the target servers are protected by encryption keys which are held by ePO server and released to endpoints on request according to workflows that the Administrator can define. Audit reports via ePO will help the Administrator review the state of volume access control within the server estate.


Why should I enable key-rotation in the server settings page?
Unlike Drive Encryption, BitLocker recovery keys have no random element, which means that until the recovery key is actually changed, the recovery key can continue to be used; if the recovery key falls into the wrong hands, then an attacker could gain access to the system. Enabling the server-settings key-rotation settings will ensure that if anyone views the recovery key in ePO (via MNE recovery or DPSSP), the server will instruct the endpoint to change the recovery keys to something new at the next opportunity, closing this security hole.

Configuration - Mac (FileVault) specific
Mac OS X system is configured with Active Directory (AD) server and AD users are also FileVault preboot login enabled. What would be the recommended policy settings for MNE?
Issues have been seen with Mac OS X systems such that when an AD user tries to change the password on a periodic basis on the Mac OS X system, a new password set by the user fails to sync with the FileVault preboot. This happens when the MNE policy Destroy FileVault key in standby mode is enabled. It is recommended that this policy option be disabled if Mac OS X systems have AD users on the system. For more information, see KB81289.


Is it possible to configure MNE for FileVault to only allow for one user at preboot?
No. After MNE enables FileVault, Mac OS X adds the currently logged in user to the FileVault preboot. After FileVault is enabled on the system, whenever a new user is created on the system, Mac OS X adds that user to FileVault preboot login automatically. MNE does not support restricting login for a single user on the system because FileVault user management is not controlled by MNE.

Configuration - Windows (BitLocker) specific
Where is the User Interface to manage FileVault users in MNE?
MNE does not provide support for FileVault user management. To manage Mac users, you must use the standard Apple user-management features (in System Preferences, Users & Groups), which require administrative privileges. For more details, see KB79648.


What authentication types are supported with BitLocker?
MNE supports TPM, TPM+PIN, and Password authentication. Password authentication is only available with Windows 8 and later.


Why is there no policy option for USB authentication with BitLocker MNE?
USB authentication is not supported with MNE for security reasons.


Why does MNE encrypt all volumes on a Windows system, and use the same PIN/password to unlock them all?
MNE is configured to use auto-unlock for all non-OS volumes in this release to simplify the user experience; a user will have only one password or PIN to remember. This reduces the likelihood that users will write their passwords down.


What permissions are required to provision the McAfee Agent running in unmanaged mode when using the MNE stand-alone installer?
The ePO Remote Provisioning tool requires the ePO address, username and password of the user to be entered. The user can be limited to an executive reviewer role with limited privileges on the ePO server. For information on how to use the Remote Provisioning tool bundled with MNE 2.0 and later, see KB82640.
General Functionality
When a system is deleted from ePO, is it still possible to use the serial number to obtain the recovery key?
Yes. The serial number and recovery key are not deleted when a system is removed from ePO.


When a computer has two drives that are both BitLocker protected, if the secondary drive fails or is removed and a new one is installed, is the new drive automatically encrypted?
The new drive will be automatically be managed by MNE on the next policy enforcement. When a normal encryption policy is enforced, MNE will generate a new auto unlock key (the standard unlock mechanism for data volumes) and it will generate a new Recovery Key for that drive and escrows to ePO before encryption begins. The user does not need to take any manual steps.


Can I use Network Unlock on workstations?
Typically workstations are not used for the sharing of data via their data volumes; this is a role typically reserved for server-based systems because of their performance specifications and user management capabilities. Because of the specific nature of the feature design, support is limited to server platforms that are documented in the supported platforms list. Refer to the MNE supported environments article. For details, see KB79614.


Does MNE support BitLocker to Go (BitLocker encryption for USB drives)?
No. McAfee recommends that you use McAfee File and Removable Media Protection (FRP) to encrypt USB drives.


What is the maximum number of times a user can postpone activation (MNE 4.1 and later)?
The user can postpone the activation up to 10 times. This option is located under the Authentication policy section.

NOTE: This feature, introduced in MNE 4.1, restricts the number of postponements on activation to reduce the amount of time a client system is not encrypted. Systems that are already encrypted have already been activated, so any policy change that requires different credentials to be entered will allow the user to postpone the credentials dialog any number of times because the system is already in an encrypted state.


When might I want to use the Postpone Activation option?
Sometimes it is not convenient for a product to be installed or updated in busy periods or perhaps during a customer meeting, and allowing the flexibility to defer this action can improve user experience during a deployment phase.


Why would I want to use the MNE Control Panel Applet?
Credential management is the key to maintaining an effective security posture and usability within a managed estate.
Key points:
  • Administrators may wish to more securely lock down the end users ability to change the configuration of BitLocker by removing the BitLocker Control Panel and replacing it with the MNE user-interface that is also accessed through the control panel.
  • Disabling the BitLocker control panel removes the ability for the end user to disable BitLocker protection, manage TPM and the saving or printing of the recovery password that may fall outside of a company’s security best practices.
  • When the BitLocker control panel item has been removed, the MNE interface still allows non-administrator users the ability to change their password should they need to do so. This would help reduce the need to raise a help desk ticket and enable more efficient working practice while maintaining an effective security posture.
  • Note, however, that users with administrative privileges will still be able to manage BitLocker through the BitLocker command-line tool manage-bde.

How do I Hide Default BitLocker Encryption in the Windows Control Panel?
Please refer to the following Microsoft TechNet article https://technet.microsoft.com/en-us/library/jj571554.aspx


Where do I find System by Username?
You can view the Find MNE systems by user name dashboard on the Dashboards page.


Why would I typically use Find System by Username?
This new feature is particularly useful in the scenario when the owner of a system calls in and reports their system lost or stolen or does not have the system details at hand.


How can I disable protection while I modify the operating system?
MNE 3.0 introduced a new endpoint-side tool (MaintenanceMode.exe) which can be used to disable protection for a set period or number of reboots. You should use this tool instead of disabling protection yourself through non-MNE tools; otherwise MNE policy enforcement will simply re-enable protection when it next enforces policy. You can build this tool into your endpoint-side scripts during OS refreshes and upgrades.


How do I achieve scalability?
To achieve maximum scalability within large environments, ensure that your ePO and Database servers run on well-resourced physical servers (not within Virtual Machines), and that you configure ePO with more than one agent handler. Refer to the respective ePO best practice guide for more details.


Can I export MNE policies from one ePO server to another?
Yes. You can export MNE policies from one server and import to another. However, please review KB84614 before importing policies; some versions of ePO will export an internal system policy and care is required to ensure that you do not inadvertently import the internal system policy as well as product policy.


Why does a system with no data drives report “Pass” against Security Posture tests?
The Security Posture Reporting tests will return Fail only if there is something that fails the specific test. In the case that there are no data drives, there is nothing to make the tests fail, and therefore (by implication) they pass. In other words, the report is tasked with finding systems which are non-compliant; a system with no fixed drives cannot be non-compliant to fixed drive policy.


For reporting methods, is there a way to see what key protectors are in use for a system and its volumes, as well as, the algorithm in use?
No. There are no ePO reports to show this. You can only use the command manage-bde to obtain this information.
For more details on how to use the tool manage-bde, see https://technet.microsoft.com/en-gb/library/ff829849.aspx.


If I transfer systems per KB79283 or redeploy the McAfee Agent from a different ePO server, will the encryption key be escrowed to the new ePO server?
Yes. If FileVault or BitLocker is enabled using MNE on the source ePO server, and the Transfer Systems option is used per KB79823, the key will be escrowed to the destination ePO server.

IMPORTANT: Key points to observe using FileVault as an example:
  • The MNE FileVault policy must be enabled on the destination ePO server prior to the transferring of systems.
  • If the MNE FileVault policy is not enabled on the destination ePO server, the McAfee Endpoint Protection for Mac Console status under Encryption and Management Mode will show FileVault as not managed and the Recovery Key Status will show Client has not escrowed the key in ePO.
  • If the policy is enabled after the system has been transferred and policy enforcement has taken place, the McAfee Endpoint Protection for Mac Console status under Encryption and Management Mode will show that FileVault is managed, but Recovery Key Status will still show Client has not escrowed the key in ePO.
  • The system can be transferred back to the source ePO server and then transferred back to the destination ePO server, and the key will then be escrowed.

Back to Top


Functionality - Mac (FileVault) specific
Does MNE support the use of Boot Camp?
MNE does not specifically provide support for Boot Camp. Mac FileVault itself does support Boot Camp. However, FileVault only encrypts the OS X volume on the disk. A Windows partition created using Boot Camp will remain unencrypted on the disk. This is pure FileVault functionality. For more details, refer to the Apple reference HT5639 at http://support.apple.com/kb/HT5639.

FileVault is already enabled on the Mac OS X system and the Mac OS X user has the recovery key available. What is the best practice to escrow this key to the ePO database safely?
The following table describes two solutions with procedural explanations:
Solution Procedure
Mac OS X systems installed with Mavericks 10.9.x) and Yosemite(10.10.x)
  1. The ePO admin should enable the recovery key import on client by turning on the policy item Allow users to import recovery on client from under the FileVault Product Settings policy for MNE.
  2. Launch the McAfee Endpoint Protection for Mac 3.0 application extracted package found under Applications / Encryption.
  3. Enter the recovery key, then click Apply.
Mac OS X systems installed with Mountain Lion (10.8.2 and later)
  1. All users of Mac OS X systems can send the recovery key to ePO admin along with the serial number of the Mac OS X system.
  2. The ePO admin can easily import all the FileVault recovery keys into the ePO database by using the import FileVault recovery key feature available in ePO under Menu, Data Protection, Import FileVault Recovery key.

What is the recommended way to generate a new FileVault recovery key on systems installed with Mac OS X Mavericks 10.9.X and Yosemite 10.10.x?
For systems installed with Mac OS X Mavericks 10.9.x and Yosemite 10.10.x, it is possible to change or generate a new FileVault recovery key using either existing valid recovery key or password. For more information about generating a recovery key and importing it to the ePO database, see KB82481.


What is the recommended way to enable FileVault after it is turned on by the ePO admin through policy enforcement?
When the ePO admin enables FileVault on the system, FileVault gets turned on in deferred enablement mode. This means that the currently logged in user has been authorized to enable FileVault using the password. When the ePO admin enables FileVault, the end user on the Mac OS X system sees a notification to restart his system to enable encryption on the Mac system. The user has to restart and type the password at the password prompt screen to authorize FileVault. This will enable FileVault encryption when the system boots again.


MNE has enabled FileVault for a currently logged on user; however, the system has multiple users. How can the logged on user enable FileVault preboot logon for the other users?
MNE does not play any role in adding FileVault logon to the users. The Mac OS X FileVault handles this operation. If a system has more than one user at the time of enabling FileVault, then the currently logged on user is authorized to log on at preboot. If you want to allow other users on the system to log on at the FileVault preboot, then the admin user on the Mac OS X system can enable these users by following these steps:
  1. Open Applications, System Preferences, Security & Privacy.
  2. Click Lock and type the administrator's user credentials.
  3. Click Enable Users.
  4. Select the users and click Enable User to enable the selected users as FileVault users.
I have a system partition but FileVault still fails to activate. Why?
For how to troubleshoot FileVault-related Management of Native Encryption activation issues, see KB84292.


Functionality - Windows (BitLocker) specific
Why will BitLocker not activate?
In order for BitLocker to activate, the system needs a system partition. Depending on how your Windows image was created, this may not be available, in which case you need to create the system partition before BitLocker will activate. In general, if you can activate BitLocker manually, MNE should be able to activate it as well.


I have a system partition but BitLocker still fails to activate. Why?
In general, if you can activate BitLocker manually, MNE should be able to activate it as well. For how to troubleshoot BitLocker-related Management of Native Encryption activation issues, see KB84290.


Can specific Active Directory (AD) groups be delegated the rights to recover the encryption keys?
No. Rights to encryption key recovery is defined by ePO permission sets to ePO users and not via AD. The Data Protection Self Service Portal (DPSSP) can be used to allow users to recover systems that they have previously logged into. Note that you cannot recover systems that they have not previously logged into.


How will MNE handle BitLocker recovery keys stored in AD; is this done automatically?
When MNE is first installed on a system where BitLocker is already running, MNE will back up any recovery keys that already exist on the computer to ePO by simply pulling them from the client using the BitLocker API (no round trip required to AD). MNE then also adds our own recovery key as well, so a system where MNE is taking over BitLocker will have multiple recovery keys, all of which will be safely stored in ePO. All this will occur at the first policy enforcement as MNE tries to pull BitLocker into compliance with the MNE policy.
Back to Top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.