Knowledge Center

FAQs for File and Removable Media Protection 5.0.x
Technical Articles ID:   KB85876
Last Modified:  7/29/2019


McAfee File and Removable Media Protection (FRP) 5.0.x

  • File and Removable Media Protection is the new name for Endpoint Encryption for Files and Folders (EEFF).
  • Removable Media Protection (offsite access options), was formerly known as Endpoint Encryption for Removable Media (EERM).


This article is a consolidated list of common questions and answers. It is intended for users who are new to the product, but can be of use to all users.

Recent updates to this article:
Date Update
July 29, 2019 Updated link to FRP Best Practices guide in the Functionality section.
December 3, 2018 Updated FAQ "How can I perform a local client FRP upgrade using a third-party tool". Removed the sentence "An FRP entry in Add/Remove Programs is only installed when the original installation was undertaken locally using the FRP MSI installation package". Added four new steps.
July 25, 2018 Replaced links to KB78872 (EEFF EOL article) with a link to KB81433 (FRP article).
July 24, 2018 Updated the answer to the FAQ "Can I use 'User personal keys' in a Host DLP policy?" in the Compatibility section, from "No", to "Yes".
May 22, 2018 Review of all FRP FAQs, updates, and deletions implemented.
Consolidation of related FAQ topics.
Back to Top jump links added to four sections.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Click to expand the section you want to view:

What are the broad use cases that FRP addresses?
FRP protects data on local drives, network shares, and removable media devices. Specifically, it offers options to:
  • Encrypt files/folders on local drives.
  • Encrypt files/folders on network shares.
  • Encrypt files/folders synced to Cloud Storage services
  • Encrypt removable media devices.
    • Restricts usage of encrypted removable media devices to just within the company’s environment (onsite access only).
    • It can allow encrypted devices to be read on systems without having to install any McAfee Encryption software.
  • Encrypt email attachments.

What does persistent encryption feature mean?
Persistent encryption means the ability to maintain the encryption state of files for operations performed through Windows File Explorer.

Is the process of encrypting files/folders on local drives or network shares policy-driven or user-driven?
It can be both. The administrator can take the policy-driven approach and configure policies to encrypt either:
  • Files based on applications using the Application-based Protection policy.
  • Files/folders based on location, which can be either a local drive or a network share, using the Location-based Protection policy
The administrator can also allow end users to selectively encrypt or decrypt files and folders by enabling the Explicit Encrypt and Explicit Decrypt options.

Does FRP support USB 3.0 devices?

Does FRP 5.0.x support a Virtual Desktop Infrastructure (VDI) environment?
Yes. FRP 5.0.x offers support for certain selected modes of Citrix XenDesktop 7.1 and later.
Additional VDI facts:
  • Supported VDI mode: Remote PC Access option (Existing VMs and Physical systems) under Operating System and Hardware (Create Machine Catalog)
  • For a VDI environment that is not supported: If you require support for additional platforms in a VDI environment, submit a product idea. For details about submitting a product idea, see the Related Information section. Support for additional versions or platforms of VDI environments will be considered for future releases.

Does FRP support the Advanced Format Drives that have a 4-KB hard disk sector size?
FRP does not currently support the 4-KB native drives because the current Microsoft operating systems do not support this format. But, FRP products do support Microsoft operating systems that support drives that use the Advanced Format of 4 KB physical and 512-byte logical sector size. The drives in this mode emulate 512-byte sectors, so no issues are expected. For further details, see KB71582.

Does FRP support governmental regulations, for example, HIPAA or FISMA, for records retention or retrieval?
McAfee encryption products can help address many of the compliance requirements.
NOTE: Use of McAfee Endpoint Encryption solutions does not automatically guarantee compliancy or certify compliancy. Customers must enlist the services of third-party compliancy auditing services.

Is FRP Common Criteria Evaluation Assurance Level certified?
Yes. FRP 4.3.1 is the first version to be certified at the EAL2+ level of assurance through the Canadian Common Criteria Evaluation and Certification Scheme (CCS). For more information, see: https://www.cse-cst.gc.ca/en/publication/mcafee-file-and-removable-media-protection-431-and-epolicy-orchestrator-512.

What burning software does FRP support with CD/DVD Encryption (Onsite Access Only)?
FRP supports Windows Burner (Mastered Format), Nero, and Roxio Creator.

Is FRP compatible with the Microsoft Encrypted File System (EFS)?
No. Because EFS and FRP are file encryption products and work at the same file system level, there would be a driver conflict. For more information about EFS, see http://windows.microsoft.com/en-US/windows-vista/What-is-Encrypting-File-System-EFS.

Is FRP compatible with the Microsoft Extended File Allocation Table (ExFAT)?
Yes. When the question is specifically for the container-based model of encrypting USB devices. The base file format does not matter because FRP creates a secure FAT32-based container on top of it which is independent of the base file format.

Does FRP encrypt the Windows system page file?
Yes. FRP always encrypts the page file, which is why the page dump file is also encrypted. Not encrypting the Windows page file would be a security loophole.

Are the Microsoft Windows system files encrypted with FRP?
No. System files are excluded from encryption as a safety precaution.

Does FRP support encryption of files uploaded on a SharePoint server?
FRP cannot communicate directly with Microsoft SharePoint Portal Server because it is a web-based document management system.
SharePoint uses socket communication for all file operations instead of Windows I/O file operations. Thus the FRP file system filter driver is not invoked in SharePoint file operations and the encrypted data is uploaded in plain text.
Files encrypted with FRP are decrypted by default if they are uploaded directly to SharePoint Server; for details see KB70271.

What about third-party encryption compatibility?
McAfee does not recommend installing any other third-party file-based encryption products that operate at the same file system level. It would result in a driver conflict.

Does FRP work in Microsoft Windows Safe Mode?
FRP works for Safe Mode with networking. FRP does not work for Safe Mode without networking.

Encrypted USB media can be read on Windows systems without having to install any FRP software - do I have the same flexibility with Mac OS X?
Yes. Offsite support on Mac OS X clients is a new feature introduced in FRP 4.3.

Is FRP installation supported on Mac computers?
Yes. Support for USB Media protection (container-based option) was introduced with FRP 5.0. The option enables users to initialize (create encrypted containers) on Mac systems.
The following protection level options are supported with this release:
  • Allow Unprotected Access (Report).
  • Allow Encryption (with offsite access).
  • Block Write Operations.

    NOTE: If Enforce Encryption (with offsite access) is selected, the fallback on OS X systems is to the 'Allow' protection level.

How is an iPhone handled by Removable Media?
The iPhone does not present itself as a USB storage device when connected to a Windows operating system. With the iPhone, Removable Media does not try to create an encrypted container.

NOTE: You can exempt devices from Removable Media by using the Exempted Device IDs option. To find the Device ID for a removable media device, see your FRP Product Guide.

Can I use 'User personal keys' in a Host DLP policy?
Yes. You can use 'User personal keys' with Host DLP 11 and later.

Can I Use User Directory accounts to assign keys?
Currently restrictions in the McAfee Agent (MA) mean that User directory cannot be used in FRP key assignment.

Does FRP work with Drive Encryption (DE) or McAfee Management of Native Encryption (MNE)/BitLocker?
Yes. They are different products that operate at different levels. DE/MNE (BitLocker) works at the sector level, and FRP works at the file level.

Back to Top

Do I have to restart a client when I install FRP, as I did with EEFF?
Yes. You must restart the client after you install FRP.

Can I install FRP using a third-party deployment tool?
Yes. For details, see KB81433.

What does a user see if a non-McAfee encrypted drive is plugged into a Removable Media client? Is the user prompted to encrypt?
You might be prompted to perform encryption because Removable Media Protection options (with offsite access) might not recognize the drive as being encrypted.
McAfee advises you to include non-McAfee encrypted devices in the Exempted Device IDs list. The reason is because choosing to create an encrypted container on an already encrypted drive might result in unexpected behavior. Sometimes it can lead to loss of data. The message shown to end users can also be customized as appropriate.

NOTE: For a non-McAfee encrypted drive to be exempted, the device must be added to the exemption list. To find the VID or PID of an Encrypted USB device in Windows, see KB81447.

Is Removable Media functionality installed as a separate package?
Removable Media functionality is automatically installed with FRP.

Can I install FRP in FIPS mode?
Yes. FRP uses the McAfee Core Cryptographic Module (MCCM) which has been validated at FIPS 140-2 Level 1 certification. For more information about how to install FRP in FIPS mode via ePO, see the FRP 5.0 Product Guide PD26185. For details about installing via a command line, see KB81433. For details about FIPS certification for Drive Encryption and File and Removable Media Protection, see KB83483.

NOTE: Deployment of FRP in FIPS mode on a Mac operating system is not currently supported.
Additional FIPS facts:
  • Running ePO in FIPS mode: You must review your overall configuration with the appropriate auditor to determine whether you have to run ePO in FIPS mode. Discussions with your auditor determine whether you have to operate client and server in FIPS mode or just the client. There are restrictions, such as ePO can only manage FIPS-certified products when operating in FIPS mode. For more information, see the relevant ePO Product Guide for your release.
  • Running the Microsoft Windows system on which the FRP client is installed in FIPS mode: To determine, review your overall configuration with the appropriate auditor.
  • Upgrading from an existing version of EEFF to FRP (FIPS mode) is only supported if the previous version of FRP 4.3.x was installed and run in FIPS mode. Otherwise, only clean installations are supported. You cannot move from a non-FIPS installation of EEFF to a FIPS installation of FRP because the keys have previously been generated in a non-FIPS mode. The result is the inability to claim FIPS-certified status for your installation.
  • Clients running FRP in FIPS mode can read files, folders, and removable media devices encrypted by the previous versions of EEFF installed in non-FIPS mode.
  • On systems where FRP is installed in non-FIPS mode, performance benefits offered by MCCM are retained. FRP operating in non-FIPS mode also uses the MCCM cryptographic module and can use performance benefits available by MCCM using AES-NI.
I want to upgrade the product extension to FRP when some of my clients are still on EEFF. Can I still manage these clients with the FRP extension?
Yes. The extension is backward compatible, which allows the EEFF/FRP clients to remain manageable by the FRP extension. But, any new FRP functionality does not work until the EEFF/FRP client has been upgraded.

When I initialize a large 500-GB USB device and need to copy the existing data to the encrypted container, how much free space is required on the FRP client?
When you initialize a large capacity USB device, you see a warning that asks whether you need to back up the data. For example, if you connect a 500-GB drive full of data and choose to back up the data, you need that same amount of free space on the computer to complete the transfer.

How can I perform an FRP client upgrade using a third-party tool, when I cannot uninstall FRP via Add/Remove Programs?
When you use the MSI installer package command-line options to upgrade a client that has a previous version of FRP installed, you must first uninstall the current version.
  1. Run the following command prompt to uninstall FRP:
    • On 32-bit systems, type: msiexec /x eeff32.msi
    • On 64-bit systems, type: msiexec /x eeff64.msi
  2. When prompted to confirm that you want to uninstall the product, click Yes.
  3. When prompted to restart the system, click No.
  4. Now install an updated version of the product with either of the following methods:
    • To install FRP using the latest product guide, click here.
    • To install FRP from the command line. For details, see KB81433

After upgrading from FRP 4.x to 5.x, what happens to the recovery key set as Key recovery on the removable media?
When the recovery for FRP 4.3.x removable media is set to recovery by key, the recovery method and the key set is used for the auto-unlock feature in FRP 5.x. The conversion happens automatically during an upgrade.

Do I have to uninstall the trial version of FRP and install the production version?

Back to Top

What are the encryption options available for Protected Area for FRP?
The following encryption options are available on FRP with 'Allow Encryption (with offsite access)' and 'Enforce Encryption (with offsite access)':
  • Entire Device.
  • User Managed, which is the option that allows you to choose the size of the encryption part of the device.

What is the maximum recommended device size for 'Allow encryption (with offsite access)' or 'Enforce encryption (with offsite access)' options for USB Media?
McAfee has tested and supports devices up to 2 TB, starting with the FRP 4.3 release.

When connecting a USB device, the encrypted area is shown in gigabytes (GB); can this value be shown as a percentage?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

What is the basis on which the new policy pages for CD/DVD and Removable Media categories have been organized?
The original policy pages for both CD/DVD and Removable Media referred to the Encryption Options and Encryption Method respectively. They now both focus on the Protection Level. On selecting the Protection Level, the associated Protection Options are available to be configured.

The main difference in behavior between the file-based and container-based encryption technologies (previously EERM), is that file-based constrains the device usage to systems with FRP installed (onsite access only). Container-based allows for access on systems without McAfee Encryption software installed via the offsite browser (with offsite access). The behavioral change is the main theme of the new UI for both policy categories.

What CD/DVD Protection Level options are available?
  • Allow Unprotected Access
  • Allow Encryption (with offsite access)
  • Enforce Encryption (with offsite access)
  • Enforce Encryption (onsite access only)
  • Block Write Operations

What are the Protection Level options available for Removable Media?
The available options are:
  • Removable Media Policy is organized into two tabs:
    • USB Media
    • Floppy Disk Media
  • Options available for USB Media:
    • Allow Unprotected Access
    • Allow Encryption (with offsite access)
    • Enforce Encryption (with offsite access)
    • Enforce Encryption (onsite access only)
    • BlockWrite Operations
  • Options available for Floppy Disk Media:
    • Allow Unprotected Access
    • Block Write Operations

Will the Block Write Operations protection level offered for USB Media block copy operations from the USB device as well?
No. Only copy operations to the USB device are restricted with this feature.

What is the default Protection Level option for Optical Media, Removable USB Media and Floppy Disk Media?
 Protection Level options are:
  • Optical Media - Enforce Encryption (with offsite access)
  • Removable USB Media - Enforce Encryption (with offsite access)
  • Floppy Disk Media - Block Write Operations

Do the preceding Protection Level options use a file-based encryption or container-based encryption approach?
  • Allow Encryption (with offsite access) and Enforce Encryption (with offsite access) use the container-based approach.
  • Enforce Encryption (onsite access only) uses the file-based encryption approach.

What are the authentication options available for USB devices with the preceding options selected?
Authentication can be password-based, or certificate-based, or key-based. Only password authentication is supported on OS X FRP client.

Can I force an end user to use a password as the authentication mechanism for Removable USB Media?
Yes. You can configure the authentication options available to the end user via the Removable Media policy.

Where can I change the Removable Media password complexity?
It is possible to configure the FRP Removable Media password complexity via the Password Policy Rules page in ePO.
An administrator can configure the following:
  • The minimum length of the password, minimum number of uppercase characters
  • Minimum number of lowercase characters
  • Minimum number of alphabetical characters
  • Minimum number of numeric characters
  • Minimum number of special characters.

    NOTE: The same password quality rules are applicable for FRP Authentication, Removable Media, Self-extractors, and User Local Keys.

Can I use a wildcard with the FRP Removable Media option Exempted Device IDs?
No. You can only exempt a device by using the Device ID. To find the Device ID for a removable media device, see KB81447 or the FRP Product Guide.

Can I configure the FRP Removable Media to exempt devices by serial number?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

What is the maximum number of devices that can be inputted into the Removable Media FRP policy Exempted Device IDs field?
There is a character limitation of 3072 characters for the Device Exemptions field, so optimize entries in the field based on the guidance documented in KB81519.

Can I customize the UI text that appears when a removable USB Media is inserted?
Yes. The administrator can configure this text via the Removable Media policy. The text can be up to 300 characters in length.

What location is used by FRP Removable Media to temporarily store the data when the encryption container is being created?
When FRP Removable Media encrypts a USB device, the original data is moved to your local hard disk under: %<Users temp folder>%\McafeeEERMFormat\Format*

Can I change the temporary location FRP Removable Media uses when encrypting a USB device?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

When is FRP Removable Media configured to delete the files backed up on the local hard disk?
The data is not deleted until you respond to a dialog box either when you exit or reopen FRP Removable Media. Implemented to protect the original data in case the encryption process is interrupted.

Can I configure FRP Removable Media to have a policy where only removable media devices under a certain size are encrypted?
Yes. You can only specify an upper limit for the USB drive size to initialize with FRP Removable Media. The following FRP Removable Media encryption options are available:
  • Entire Device
  • User Managed
    NOTE: Selecting the option User Managed, provides the end user the option to choose the size of the encryption part of the device.

Back to Top

When using the "Send To, Mail Recipient" Windows context menu option to transfer an encrypted file, is it possible to prevent the files from being decrypted?
No. When you use the Windows context menu option Send to, to send to a Mail recipient, files always attach as a decrypted file. Files are attached decrypted regardless of policy settings. Windows Explorer handles the file attachment process.

Is it possible to generate a list of all encrypted files?
Yes, but only locally on the client. FRP provides the option Enable search encrypted, which is located under the General policy, that allows for searching of encrypted files. After enabling this option, the user at the client has a right-click context menu option available that allows the ability to search for encrypted files.
NOTE: There is no current option for administrators to gather this information remotely. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

Is it possible to import/export an Exempted Device IDs list via the ePO console?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

Can I encrypt files and send via Bluetooth?
No. To have this kind of functionality in a future release, submit a product idea, see the Related Information section for details.

Can I use 'User Directory' accounts to assign keys?
No. Restrictions in the McAfee Agent mean that User Directory cannot be used in FRP key assignment.

What is the configurable Key Cache expiry feature?
The Key Cache expiry feature is a software-based, policy-driven feature. It gives the administrator the capability to configure how long the Key Cache is available locally on the FRP client before it is removed because of non-connectivity to the McAfee ePO server.
Additional Key Cache facts:
  • When the FRP client does not connect to the McAfee ePO server for the time period specified by the administrator, the Key Cache (containing the keys) is unloaded from the FRP client. In this scenario, users cannot perform any operations which require the availability of keys, such as:
    • Reading encrypted files or folders on the local computer or network share
    • Initializing or encrypting removable USB media with the options Allow Encryption (with offsite access) or Enforce Encryption (with offsite access), where a key has been configured for recovery Key-based recovery of removable USB media.
    • Encrypting CD/DVDs or USB media with the option Enforce Encryption (with onsite access)
  • Keys, which are unloaded because of non-connectivity to the McAfee ePO server, are reloaded after communication with the McAfee ePO server.
  • Minimum requirement of either ePO or MA for this Key Cache feature is MA5.0 or later.
  • Two options are available with Key Cache policy:
    • Enable Key Cache expiry - when selected, enables the automatic removal of keys from the Key Cache if the client system fails to connect to the McAfee ePO server in the configured period.
    • Key Cache expiry period - specifies the number of days after which Key Cache is unloaded when Enable Key Cache expiry is selected and the client system has not connected to the McAfee ePO server.
      • The default Key Cache value is 90 days.
      • By default, the Key Cache expiry period feature is disabled.
  • The minimum value that can be configured for Key Cache expiry period is one day.
  • All types of keys are unloaded on the FRP client when the specified time period elapses (Regular, User Personal Keys, and User Local Keys).
  • When a key expires the files are not decrypted automatically, and access to those encrypted files is denied as long as the key remains expired.
  • When a key assigned to a user has been revoked or has expired, it is not possible to automate the process of renewing a key. You must access the FRP Keys page via the ePO console and activate the key manually.
Are large files (> 4 GB) now supported with 'Allow/Enforce Encryption with offsite access' options (formerly EERM)?
Yes. You can copy files larger than 4 GB to USB devices in a secure manner. Also, you access them on systems without having to install any McAfee encryption software.

Additional large file facts:
  • Files larger than 4 GB were not supported previously with offsite access options. The reason was because a FAT 32 file system was used for the secure encrypted container, and it placed a maximum file size restriction of 4 GB.
  • Files larger than 4 GB are now supported because McAfee has made improvements to the existing FAT32 container implementation to support files larger than 4 GB.
  • Files larger than 4 GB can be read/copied even on systems without FRP installed (offsite access) and applies to both Windows and Mac OS X.
  • For devices less than or equal to 4 GB in size, those devices continue to retain the old container format. Updating the container format does not serve any purpose in this case because you cannot copy files larger than 4 GB to these USB devices.
  • The max file size supported that can be placed in the encrypted container is, theoretically, up to 256 GB.
  • For devices that are initialized through the User-Managed mode and the container size is less than 4 GB, the device continues to retain the old container format.
  • For a device where the file format is already NTFS, users do not have to format the USB drive to FAT before using with the Removable Media Protection solution. The base file format of the USB device can be either FAT or NTFS. Removable Media Protection solution creates a secure FAT32-based container on top of it.
  • An NTFS file system cannot be used for the removable media encrypted container because it is proprietary to Microsoft and is not natively supported on platforms such as OS X. There are no NTFS public driver implementations available for FRP Removable Media to create the FRP Removable Media encrypted container in NTFS. Also, you must install a driver on the host platform, which also requires local administrator permissions, and which defeats the whole purpose of FRP Removable Media. McAfee could use NTFS for the encrypted containers if we were allowed to install a driver or had some rights.  But, without these abilities, it is impossible to install an NTFS file system. Instead, FRP Removable Media containers must use FAT32.
    NOTE: Although the file system of the USB device can be either FAT or NTFS, the file system of the FRP Removable Media encrypted containers can only be FAT32. Thus, the storage area that is not assigned to be an encrypted container can be NTFS.

I have devices initialized with previous versions of FRP (EEFF) and I want to use the new functionality and place files of size > 4 GB. How do I do it?
You do not need to format or reinitialize the USB drives. With the new FRP option Allow large file support (> 4 GB) policy option enabled, the container format is automatically updated to support large files. It only takes place on the first occasion that the older format USB device is inserted into an FRP 4.3 or 5.0 client.

Additional upgrade container facts:
  • The 'Allow large file support (>4 GB)' option is for new installs, and is enabled by default. For upgrades, it is disabled.
  • An event is generated and captured on the client for the container upgrade process. The event is sent back to ePO for Audit and Reporting purposes. The event helps the administrator track upgrade trends and hot spots for remediation.
  • The container upgrade process takes only a few seconds to complete.
  • Users do not have to move the data out of the device before the container upgrade process. It is a seamless in-place upgrade process with zero user interaction requirements.
  • During the container upgrade process, users see a pop-up message advising them not to eject the device or perform any operations during the upgrade process.
  • Sometimes users see the upgrade message twice during the container upgrade process. FRP must resize the container in addition to changing its format. In this scenario, users are notified that the container upgrade procedure is a two-step process.
  • The container format remains the same as before, and users are not able to copy files larger than 4 GB under the following conditions:
    • Device is initialized with a previous version of FRP and is inserted into a computer running FRP 4.3 or 5.0.
    • The option to allow large file support (> 4 GB) has not been selected.
  • If the option to allow large file support (> 4 GB) has not been selected for newly initialized devices with FRP 4.3/5.0, devices have the older container format. The old format places the file size restriction of 4 GB.
  • If the policy option to allow large file support (> 4 GB) is not selected, you still see an upgrade message under the following condition. The USB device is being upgraded to provision the Mac offsite application. If you select the Allow large file support (> 4 GB) option, the container upgrade and Mac offsite application provisioning occur simultaneously.
  • If you have a mixture of FRP 4.3.x, 5.0.x, and earlier versions of clients in your environment, users cannot read the USB devices having the new container format on computers running previous versions. Computers running the previous versions of FRP are not able to detect the new container format. Although files on the encrypted device can be read on these computers using the offsite application, is not advisable.
Does FRP encrypt temporary and work files generated by programs?
FRP does not encrypt any files or folders that are not specified in the File/Folder encryption policy.

What is McAfee Core Cryptographic Module (MCCM)?
MCCM is a cross-platform, cross-product, cryptographic module developed by McAfee, which is used in upcoming releases of all McAfee Endpoint Encryption products. MCCM provides performance benefits and, in particular, uses Intel Advanced Encryption Standard Instructions (AES-NI), resulting in additional performance improvements on systems with AES-NI support.

Additional MCCM facts:
  • FRP uses MCCM (user) and MCCM (kernel).
  • The current certification status of MCCM module is that the FIPS 140-2 validation process for the McAfee Core Cryptographic Module has been successfully completed. The Cryptographic Module Validation Program (CMVP) awarded certificate number 2239 to the McAfee Core Cryptographic Module (user) in October 2014; which is posted on the NIST website. The companion McAfee Core Cryptographic Module (kernel) FIPS 140-2 validation was announced in August 2014 and has certificate number 2223. These cryptographic modules have been validated at FIPS 140-2 Level 1.

    Certified modules:

What cryptographic algorithms does FRP use?
FRP uses AES-NI AES256.

Which FRP encryption rule takes precedence?
  • Question: If a file extension encryption policy is set to encrypt. For example, PDF files with Key A and a Folder Encryption policy is set to encrypt files in folder X with Key B, which key is used to encrypt a PDF file put into folder X?
  • Answer: It is encrypted with Key B because Folder Encryption always overrides File Extension Encryption.

Can I block a process?
Yes. The main purpose of blocking a process is to prevent encrypted data being unintentionally exposed in plain text. The feature is not designed to share encrypted data via, for example, webmail or the Internet. For FRP best practices, see PD266188.
Processes that are OK to block:
  • FTP processes
  • File-sharing processes
  • File backup processes
Processes that are risky to block:
  • Internet browser processes
  • Email client processes
Processes that must never be blocked:
  • Data compression applications like WinZip
  • Windows Explorer
  • Windows processes
  • EEFF client processes
  • Scanning processes or processes for other McAfee products

Can I use a command line or script to decrypt a file that has been encrypted on a network share?
No. Decryption can only take place via the UI.

Can I read an FRP Removable Media-encrypted USB device on a Windows/Mac OS X computer that does not have FRP?
Yes. A key reason to use FRP Removable Media is to have a File Explorer application that resides on the USB media. This arrangment negates the need for any computer to have FRP Removable Media installed to authenticate and access the data in the FRP Removable Media container.

Can I decrypt the data encrypted on a Removable Media device when I want?
No. First back up the data on the encrypted removable media device, then format the device to remove the encrypted containers. To request enhancement of this feature in a future release of the product, you can submit a product idea. See the Related Information section for details.

NOTE: For Offsite Access, first you need to authenticate the removable media device before following the steps above.

Can I make a USB drive bootable after installing FRP Removable Media?
Yes. When you use FRP Removable Media, there is both a private and public area. You can set up the USB drive as a bootable device if the files required to boot the system are in the public area and are not encrypted.

Can users stop the FRP Removable Media services to disable the encryption policy?
No. You can only disable the encryption policy via the FRP Removable Media policy at the McAfee ePO server.

Do I have to enable the Autorun option for the FRP Removable Media password/encryption prompt to be displayed?
Yes. But, even with Autorun disabled, you can still log on to the FRP Removable Media drive by opening the drive and running the FRP Removable Media application.

Does FRP Removable Media install any software on the computer?
No. Nothing is installed on the local computer. MfeEERM.exe or the Removable Media App for OS X, which resides on the USB device, decrypts the encrypted container (.dsk). The FRP standalone application prompts the user for a password before decrypting.

Can FRP keep a log of the files that are written to an initialized removable USB media?
This ability is not a feature in the current releases. To request enhancement of this feature in a future version of the product, you can submit a product idea. See the Related Information section for details.

Can an encrypted FRP file be emailed, either inside or outside of the company?
Yes. But, other security policies that your company applies might constrain or prohibit this action.

Do I have to take any manual actions to decrypt the file before emailing?
Encrypted files are automatically decrypted when attaching to an email, provided the user has access to the right encryption key. When an email application sends a file, it does not send the mail via Windows file I/O and the FRP filter driver. The reason is because the mail and the attachment leave via a socket connection in plain text. In brief, encrypted files are attached in plain text when sent as email attachments.

NOTE: You can allow encrypted attachments with FRP in Windows Explorer by right-clicking the file to be attached and selecting one of the Attach Encrypted options:
Context Menu Option Description
Attach encrypted to E-mail This option requires the FRP client is installed so the file can be read. So, use this option for internal emailing.
Attach as Self-Extractor to E-mail This option only requires the encryption password to open it. So, use this option for external emailing.

NOTE: Both these right-click options are subject to policy control. If used, a call is made to the default email application and an email opens with the encrypted attachment, based on what the user selected.

Can I block encrypted files from being attached in plain text?
Yes. Use the FRP Blocked processes feature.

NOTE: This feature selection renders encrypted files being attached as encrypted and, so, unreadable outside the organization. But, this feature is not the way to share encrypted attachments via email. Blocked Processes is just a method to prevent encrypted files from being accessed in plain text.

Are User Local Keys backed up on the McAfee ePO server similar to User Personal Keys?
No. The reason for User Local Keys is to keep them local.

Do User Local Keys move with the user if the user has two computers?
Yes. If you are using Roaming Profiles, or if you create the keys on a removable drive, the keys move with the user.

Which key applies when a policy encrypts a subfolder with a different key from its parent folder?
If you encrypt a subfolder with a different key from its parent folder, you only require the key for the subfolder to access the contents of that folder. Example scenario:
  • A policy exists that encrypts Folder A in the path C:\FolderA with a specific key.
  • A newer policy is created that encrypts Folder B in the path C:\FolderA\FolderB with a different key.
You only require the key for Folder B to access the contents of Folder B. Any other items in Folder A remain encrypted.

Must I delete or remove the User Local Keys created on the client?
No. These keys are not automatically deleted because they can be accessed again if you reinstall the FRP client. You can only manually delete User Local Keys.

Does FRP encrypt the file or folder with a symmetric or an asymmetric key?

Can I share FRP encryption keys between McAfee ePO server?
No. The only way to share the keys between the McAfee ePO server is to export the keys from one McAfee ePO server and import them to another.

If a user has multiple USB drives, do the drives share the recovery key on both the same or different computers?
Yes. Multiple USB drives share the recovery key on multiple computers.

IMPORTANT: If you use two USB devices on two different computers, you can have a different recovery key if the FRP administrator has set a different recovery key for different computers.

Are user-based policies manageable via an Active Directory (AD) Group Membership or Organization Unit affiliation?
Yes. You can manage user-based policies via AD Group Membership.

Can I apply multiple policies to a user account and if so, how does policy precedence work?
There are two ways in which a user account can have multiple policies:
  • If no Policy Assignment Rule is set for the user account (for the required policy), the user would get the policies depending on the applied policies for the logged on computer. For example, if a user logs on to Computer1, they would get the Explicit Encryption context menu option as it might have been enabled for Computer1 FRP General Policy. In case the same user logs on to Computer2, then the user might not have the Explicit Encryption context menu option, as it might have been disabled in the Computer2 FRP General Policy.
  • If a Policy Assignment Rule has been set for the user account, the precedence is determined according to the priority set for the Policy Assignment Rules.

What is the purpose of the Self-Extractor?
To share encrypted data with users that do not have FRP installed on their computers. For example, if you want to hand over the input material for your financial statements to a third party.

Additional Self-Extractor file facts:
  • Algorithm is used when creating an FRP Self-Extractor file. When you select Save to disk, the Self-Extractor is saved to the user-specified location (for example, to a USB flash memory drive). When you are prompted to select the password to be used to encrypt the Self-Extractor, the key is based on Password-Based Cryptography Standard (PKCS) PKCS#5. The encryption key is derived from the password and then that key is used to encrypt the Self-Extractor. The encryption used is the AES 256 algorithm.
  • The largest recommended input data size when creating a self-extractor file is 10 MB because it is optimized for email attachments. You can use a larger input data size, but McAfee does not recommend using larger files. Any issues found when using larger files are not supported.
  • FRP Self-Extractor files are not readable by a macOS. The FRP Self-Extractor creates a Windows executable. To request enhancement of this feature in a future version of the product, you can submit a product idea. See the Related Information section for details.
  • FRP does not compress files that are encrypted with regular encryption. Compression is only performed on FRP self-extracting files.

What is the temporary location for the encrypted container that holds the selected data to be burned to CD/DVD or streamed out as an ISO image?
The Windows API is used to return the temporary path where FRP then creates a subfolder. For Windows 7 and later, the temporary path by default is C:\Program Data\. You can reconfigure this path from within Windows.

Additional CD/DVD/ISO facts:
  • Users do not have to select the files and folders to be written to CD/DVD/ISO each time. The feature allows the user to define and save a project file (.emo extension) that contains metadata about the source location and content. If changes have been made to the source structure or content since the project was last saved, the tool highlights the changes.
  • Users can use this CD/DVD/ISO project file to back up the same source content on a periodic basis. The project file saves metadata about the source folders and content. You can set up a project file to capture the files and folders to be included in the backup. You can then open the project file and use it to define the content to be archived to CD/DVD/ISO.
  • The structures on the CD/DVD/ISO do not have to be the same as in the source location. The project file provides a mapping between the source files and folders and the structure used in the CD/DVD/ISO image. You can move, rename, and create folders within the project file, and you can move and rename files. The structure created on the CD/DVD/ISO reflects the structure defined.
What ISO standard does FRP use (Offsite Access protection)?
FRP uses the native Windows API (Microsoft Windows Image Mastering API v2.0) for burning, and uses Level 2. For details, see https://msdn.microsoft.com/en-us/library/windows/desktop/aa364836%28v=vs.85%29.aspx.

Is the support for selected modes for Citrix XenDesktop 5.6 and 7.1 with FRP applicable to the entire product functionality?
Yes. File and folder encryption and also the Removable Media Encryption functionality are supported in a VDI environment.

Is there anything different that I have to do if I provision FRP in a Citrix XenDesktop environment?
No. The workflow remains the same.

Can I recover a USB drive that is NTFS formatted on a Mac?
No. Although FAT32 formatted devices can be recovered on a Mac, NTFS formatted devices cannot. The limitation is down to macOS in which it can read but not write to NTFS devices. Trying to recover an NTFS formatted device on a Mac results in the error "Password Update Failed.”

Why was the Recovery Password option removed in FRP 5.0 and later?
A Challenge Response Help Desk recovery feature (similar to Drive Encryption) for USB devices was added in FRP 5.0. To minimize the changes, the existing fields previously used for Recovery Password were reused. The decision was based on feedback that if end users cannot remember the primary authentication password, it is unlikely they remember the recovery password.

NOTE: USB drives previously initialized with Recovery Password can still be recovered.

Back to Top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.