Loading...

Knowledge Center


How to install, configure, and use the Self Service Portal with Drive Encryption
Technical Articles ID:   KB83541
Last Modified:  8/2/2017
Rated:


Environment

McAfee Data Protection Self Service Portal (DPSSP) 1.1
McAfee Drive Encryption (DE) 7.1 Patch 2 and 3 (7.1.2, 7.1.3)

For details of DE 7.1.x supported environments, see KB79422.

Summary

This article contains important information about the installation, configuration, and operation of the DPSSP, which can be used with Management of Native Encryption (MNE) and DE to allow a user to obtain the recovery key or response code for a system.

NOTE: The installation instructions contained in this article are now included in the DE 7.2 Product Guide (PD26653).

IMPORTANT: Privacy Notice
DPSSP collects users' login names, system names, IP addresses, and audit data. Access to this information is available in DPSSP reports within ePolicy Orchestrator (ePO). Ensure that access to these reports is authorized and appropriately managed.

The authorized client user can use DPSSP to obtain information needed to perform system recovery for:
  • Apple FileVault (using MNE)
  • Microsoft BitLocker (using MNE)
  • DE 
The administrator must first install the dpssp.zip extension in ePO, and make the required DPSSP server settings. An authorized client user can open the DPSSP portal on a system to obtain a response code for DE upon entering the corresponding challenge code for the system to be recovered.

The full DPSSP URL is displayed in Menu, Configuration, Server Settings, DPSSP Settings.

The DPSSP URL will be of the general form https://<ePO IP address>:<port>/dpssp/selfRecovery

IMPORTANT: The default port number used in the DPSSP URL is 8443. To review an issue where using Port 8444 causes a problem with the website's security certificate when accessing DPSSP, see KB86781.

Solution

Perform system recovery using the DPSSP:
  1. Configure DPSSP server settings on ePO:
    The administrator must configure DPSSP server settings within ePO to allow a user to obtain the recovery key or response code on the client system using DPSSP.
    NOTE: Before you begin, ensure that you have installed the dpssp.zip extension on the ePO server before performing this task.
     
    1. Log on to the ePO server as an administrator.
    2. Click Menu, ConfigurationServer Settings.
    3. On the left pane, select DPSSP Settings and click Edit.
    4. Enable the Self Service Portal option.
    5. Next to ePO user, type the ePO user name.

      NOTE: Ensure that the ePO user name that you enter has the permission(s) to perform recovery operations for the required products (MNE/DE). We recommend that you create a specific ePO user for DPSSP recoveries, and limit the permission set privileges to recovery only for the required products (MNE/DE).
       
    6. Next to Authentication, select the Active Directory that users are to be authenticated against.
    7. Next to Logging, enable the Log authentication attempts and Log user activity options.
    8. Next to Blocking, enable the Enable IP address blocking option, and perform the following operations:
      1. Block IP address after (failed logins) - Type the numeric value to block the IP address after the specified number of unsuccessful logon attempts.
      2. Unblock after (minutes) - Type the numeric value in minutes to unblock the respective IP address after the specified number of minutes.

        NOTE: To instantly unblock an IP address, refer to step 3.
         
    9. Next to Blocking, enable the Enable user blocking option, and perform the following operations:
      1. Block user after (failed logins) - Type the numeric value to block the user after the specified number of unsuccessful logon attempts.
      2. Unblock after (minutes) - Type the numeric value in minutes to unblock the respective user after the specified number of minutes.
        NOTE:
        • If you either install the dpssp.zip extension or restart the ePO system, you cannot block or unblock users for 10 minutes.
        • To instantly unblock a user, refer to step 3 below.
    10. Next to Session, type the numeric value in minutes to log off the user's session after the specified number of minutes.
    11. Click Save.
  2. Enable the DPSSP permission set for unblocking users or IP addresses:
    Enabling the DPSSP permission set allows you to remove users or IP addresses from the blocked list in the event of multiple failed logons (in the DPSSP portal) by users or IP addresses, leading to them being blocked.
    1. Click Menu, User Management, Permission Sets.
    2. Next to the Data Protection Self Service Portal permission set, click Edit.
    3. Next to the Data Protection Self Service Portal option, select Unblock users or IP addresses.
    4. Click Save.
  3. To instantly unblock a user or IP address after the specified number of unsuccessful logon attempts:
    1. Log on to the ePO server as an administrator or a user with the correct permission set (described above).
    2. Click Menu, Reporting, Queries & Reports.
    3. On the Groups pane, under the McAfee Groups category, select Data Protection Self Service Portal.
    4. Select the Blocked users or Blocked IP addresses query, and click Actions, Run.
    5. Select the required user or IP address, click Actions, Unblock users or IP addresses.
    6. Click Yes when the system prompts Are you sure?
  4. Obtain a response code for a DE client system using DPSSP:
    To obtain a response code for the system, the DE client user must open the DPSSP portal using a web browser and enter the challenge code for the system that is to be recovered.

    NOTE: Before you begin, note that this task must be performed by the client user on the system.
     
    1. In the address bar of a web browser, enter the URL for the DPSSP provided by your Administrator or Help Desk, which will be of the general form https://<ePO IP address>:<port number>/dpssp/selfRecovery, and then press ENTER.
    2. Select the required Language, type the domain user name prefixed with domain name, type the password, and then click Login.

      NOTE: If you exceed the specified number of unsuccessful logon attempts as set in ePO, your user account will be blocked and you will see the message Login failed. In that case, you must wait for the specified number of minutes as set in ePO for your DPSSP account to be unlocked
       
    3. (Optional) Upon a successful login, if DE and MNE are both installed in the environment managed by ePO, the user will need to select the appropriate product.
    4. Type the challenge code for the DE system to be recovered, and then click Get key.

      Upon entering a valid value, a Recovery Code will be displayed that can then be used to recover the system.

      Note that you must be listed as a user against the client system you are trying to recover.

      If the challenge code is not recognized, the user should check the value entered was correct and then contact the help desk. The help desk can then check the ePO User Audit log for more detailed information.
       
    5. Click Logout.
  5. View the DPSSP reports:

    IMPORTANT: Privacy and DPSSP reports
    Ensure that access to these reports is authorized and appropriately managed. DPSSP reports within ePO contain users' login names, system names, IP addresses, and audit data.

    To run and view the standard DPSSP reports from the Queries & Reports page:
    1. Log on to the ePO server as an administrator.
    2. Click Menu, Reporting, Queries & Reports.
    3. On the Groups pane, under the McAfee Groups category, select Data Protection Self Service Portal.

      You can now view these standard reports:
      • Query Description
      • Blocked IP addresses: Displays the IP addresses of client systems that are blocked.
      • Blocked users: Displays the list of users who are blocked.
      • Number of recoveries per point product in the last 24 hours: Displays the number of recoveries per point product in the last 24 hours.
      • Number of recoveries per point product in the last 30 days: Displays the number of recoveries per point product in the last 30 days.
      • Number of recoveries per user in the last 24 hours: Displays the number of recoveries per user in the last 24 hours.
      • Number of recoveries per user in the last 30 days: Displays the number of recoveries per user in the last 30 days.
         
    4. From the Queries list, select the required query.
    5. Click Actions, Run. The query results appear. You can also edit or duplicate the query, and view the details.
    6. Click Options, Export Data, make the required selections, and then click Export to export the query data.
    7. Click the .xml link to open the query data or right-click and save the .xml file to the required location.
    8. Click Close.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.