Loading...

Knowledge Center


Documentation Correction: File and Removable Media Protection 5.0.2 Product Guide
Technical Articles ID:   KB87628
Last Modified:  7/10/2018

Environment

McAfee File and Removable Media Protection (FRP) 5.0.2

For details of FRP supported environments, see KB81149.

Summary

This article provides corrections to the File and Removable Media Protection​ 5.0.2 Product Guide (PD26598).

Problem

The following mistakes have been identified:
 
Item Documentation Mistakes Corrections
1 The following description of the following policy options for Advanced Debug Options under the Encryption policy options is incorrect (page 36).

Advanced Debug Options - Specify the elements to exempt the device inserted by the user for better security.
Advanced Configuration Options - This setting allows certain specific features or workflows in the product to be enabled or disabled on the client. For details, see KB83461.
2 Current content does not accurately cover other possibilities (section 5, page 35).

Option: Lock Triggers
Definition: Specifies the conditions that trigger the unloading of encrypted keys.

Windows Lock Screen - Requires that the user reauthenticate if Windows is not used
for the configured time period (0–720 minutes). Default value is 0.

NOTE: This option can either be disabled or enabled with a timeout. If disabled, the keys are always dropped when Windows is locked. Being disabled is same as enabled with timeout as 0.
 
This section will be updated or removed in a future release.
The behavior is not the same when 'Windows screen lock' is disabled when compared to setting the 'Windows Lock Screen' timeout to 0.
  • When you set the timeout to 0, it drops the FRP keys immediately after the screen is locked.
  • When the Windows screen lock is disabled, the keys are not dropped, even though the screen is locked, because the policy is disabled.

Problem

The following omissions and changes result from the exposure of a smart card authentication option included in FRP 5.0.4:
 
Item Documentation Omissions Corrections
1 The introduction to the FRP key authentication section needs to include a reference to the smart card authentication option (page 15). A summary of this option also needs to be added.

The existing documentation content states:
User assigned keys can either be associated with the operating system (OS) token or FRP password token
User assigned keys can now be associated with OS token, FRP password token, smart card token, or any combination of the three.

Smart card authentication
Keys associated with smart card authentication are available to users based on authentication with smart card token. See KB89888 for additional information about smart card tokens.
2 In the "Assign user personal keys to users or user groups" section (page 25), and the "Assign regular keys to user or groups" section (page 26), the "Authentication Type" needs to include an option for smart card authentication (page 25).

The existing documentation content states:
In the Authentication Type area, select either of the following:
  • OS authentication - To enable users to access assigned keys through operating system authentication.
    NOTE: The McAfee ePO administrator has the flexibility to mandate that the user authenticates using the Active Directory user name and password for the first time that the OS token is used on a given Windows system. This option can be configured from the OS Token tab of the Authentication policy.
  • Password authentication - To enable users to access assigned keys through password authentication.
In the Authentication Type area, select one of the following:
  • OS authentication - To enable users to access assigned keys through operating system authentication.
    NOTE: McAfee ePO administrator has the flexibility to mandate that the user authenticates using the Active Directory user name and password for the first time that the OS token is used on a given Windows system. This requirement can be configured from the OS Token tab of the Authentication policy.
     
  • Password authentication - To enable users to access assigned keys through password authentication.
     
  • Smart card authentication - To enable users to access assigned keys through smart card authentication.

 

Problem

The following enhancements were introduced in FRP 5.0.7 and later:
 
Item Current Documentation Enhancement
1 With FRP 5.0.6 and earlier:
USB or CD/DVD media that was encrypted with Onsite only access, would show up in all queries and events in ePO as an Unprotected device.
This feature was documented in the FRP 5.0.2 Product Guide (PD26598) under FRP Client events, Removable media events.

Definition: Size (in GB)
  • File system of device (FAT32, NTFS, EERM)
    NOTE: File system for devices with new container format (support for files > 4 GB) are shown as FAT32; devices with legacy container are shown as EERM.
  • Vendor name
  • Product name
  • Exempted (Yes, No, Unknown)
  • Protected (Yes, No, Unknown) (only USB devices protected by the "offsite access" options are considered protected).
With FRP 5.0.7 and later:
USB and CD/DVD media encrypted by either Onsite only access or by Offsite access are both considered now as protected devices. They will show up in both FRP queries as protected media.

NOTE: These changes will not affect any existing events in ePO. Any new events sent from the FRP client to ePO will have an updated status of the media.
 
2 Background details
In previous versions of FRP (5.0.6 and earlier), it was possible to configure the FRP encryption policy settings for applications based on their process names from the Application-based Protection policy page.
With FRP 5.0.7, configuring this policy has been made simpler by allowing administrators some flexibility around the process and extension names.

With FRP 5.0.6 and earlier this was achieved by:
  1. Click Add/+. Specifies the process and the file extensions to be encrypted.
  2. Specify the process name of the application, as seen in the Windows process explorer to encrypt files created by the application. For example notepad.exe or test.exe.
  3. Specify the file extensions to be encrypted without a period '.' (for example txt, doc), that are supported by the process. Multiple file extensions can be specified using a space, semi-colon, or colon as separators.
  4. Specify the encryption key to be assigned to the policy. Browse to select the required key.
With FRP 5.0.7 and later versions this is achieved by: 
  1. Click Add/+. Specifies the process and the file extensions to be encrypted.
  2. Specify the process name of the application:

    Option 1 - Specify the process name as seen in the Windows process explorer to encrypt files created by the application. For example notepad.exe or test.exe.

    Option 2 - Starting with FRP 5.0.7, it is now also possible to just specify the process name without a suffix (for example '.exe', '.com'), using just notepad or test.
     
  3. Specify the file extensions to be encrypted (examples: 'txt', 'doc', '.xls', '.tmp') that are supported by the process. Multiple file extensions can be specified using a space, semi-colon, or colon as separators.
  4. Specify the encryption key to be assigned to the policy. Browse to select the key.
NOTE: These changes will not affect any existing policies. Administrators can continue to configure their policy settings as they do in earlier FRP versions, or start configuring the policy settings as per the above FRP 5.0.7 changes, without affecting the client functionality.
 

 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.