McAfee Endpoint Encryption for Files and Folders
4.0.0
Product Guide
COPYRIGHT
Copyright © 2011 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide2
Contents
Introducing McAfee Endpoint Encryption for Files and Folders. . . . . . . . . . . . . . . . . . . . . . . 5
Installing EEFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Uninstalling EEFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Why EEFF?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How EEFF 4.0 works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
EEFF Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing EEFF using ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Checking in the EEFF deployment package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing EEFF extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installing the ePO help extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Registering an LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deploying EEFF on managed nodes using ePO 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Deploying EEFF on managed systems using ePO 4.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Uninstalling EEFF from managed nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Uninstalling EEFF from managed nodes using ePO 4.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Removing the EEFF extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Removing EEFF deployment package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Uninstalling EEFF from managed nodes using command prompt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Uninstalling EEFF from managed nodes using Shell command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Uninstalling EEFF from managed nodes using MSI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring EEFF policies using ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
EEFF Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Creating a policy from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Editing the EEFF policy settings from Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assigning policies to a system or a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Assigning a policy to a managed node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Assigning a policy to a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Enforcing EEFF policies on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Enforcing EEFF policies on a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Contents
How Policy Assignment Rules work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Policy assignment rule priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working with policy assignment rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
How multi-slot policies work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Assigning multiple instances of Grant Key policy through System Tree. . . . . . . . . . . . . . . . . . . . . . . 25
Assigning Grant key policy through policy assignment rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Viewing effective policy assigned to systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Viewing effective policy assigned to users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Managing EEFF keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Creating a regular key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Activating or deactivating keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Assigning keys to a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Editing a key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Deleting keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Exporting keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Importing keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
How user personal keys work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Working with user personal keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing EEFF Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Creating EEFF custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Viewing the standard EEFF queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Defining EEFF permission sets for ePO users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating permission sets for user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Editing EEFF Policy Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Editing EEFF Key Server permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Appendix A: Removable Media registry controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Relaxing the Removable Media definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Exempt local drives and network shares from encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Appendix B: Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide4
Introducing McAfee Endpoint Encryption for
Files and Folders
McAfee Endpoint Encryption for Files and Folders (EEFF) offers data protection in the form of
powerful encryption technology so that only authorized users can access information.
Contents
Why EEFF?
How EEFF 4.0 works
EEFF Features
System requirements
About this guide
Why EEFF?
EEFF offers enhanced security to protect your data. EEFF depends on Microsoft Windows user
accounts and works in real-time to authenticate user to access encryption keys and to retrieve
the correct policy in EEFF. A smart card implementation based on Windows logon can be used
for enhanced security.
Endpoint Encryption for Files and Folders allows you to define and protect information in a way
that only certain users can access it. This data is stored, managed, archived, and distributed
as any other file is, however, it can be viewed only by those who have been granted access.
Endpoint Encryption for Files and Folders is a Persistent Encryption engine: when a file has
been encrypted and has been moved or copied to another place, it remains encrypted. If a file
is moved out of an encrypted directory, it will also remain encrypted. Likewise, if an encrypted
file is moved to a memory stick – the encryption will remain in place.
EEFF integrates with McAfee ePolicy Orchestrator (ePO), which provides a single point of control
over all the data on the systems. EEFF with ePO supports both user-based and system-based
policies. Assigning these policies to users encrypts the data on the client as configured.
EEFF depends on Microsoft Windows credentials therefore, both registered domain users and
local system users can be assented encryption policies and associated keys.
How EEFF 4.0 works
EEFF encrypts folders and files according to policies assigned to the user. These policies are
enforced by the ePO server.
5McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Introducing McAfee Endpoint Encryption for Files and Folders
EEFF Features
The client software is installed on the client system. After the installation, the system synchronizes
with the ePO server and acquires the user data. EEFF then assigns encryption policies and keys
to the user as configured.
EEFF client acts like a filter between the application creating or editing the files and the storage
media. When a file is saved, EEFF filter executes the assigned encryption policies and encrypts
the data, if applicable. If the user manages to kill the main EEFF process on the client system,
EEFF encrypts folders and files according to policies assigned to the user. These policies are
enforced by the ePO server.
The client software is installed on the client system. After the installation, the system synchronizes
with the ePO server and acquires the user data. EEFF then assigns encryption policies and keys
to the user as configured.
The EEFF client acts like a filter between the application creating or editing the files and the
storage media. When a file is saved, the EEFF filter executes the assigned encryption policies
and encrypts the data, if applicable. If the user manages to kill the main EEFF process
(MfeffCore.exe) on the client system, attempting to deviate from the assigned encryption policy,
the process will be automatically regenerated. The automatic restart cannot be disabled.
When a file that is encrypted with key A is moved to a folder where files are encrypted with
key B, the file encrypted with key A will immediately be re-encrypted with key B. This behavior
is known as
has access to both key A and key B. This operation takes place instantly when the file is placed
in the folder encrypted with key B.
follow-target-encryption
and requires that the user or process transferring the file
EEFF Features
• Centralized management — Provides support for deploying and managing McAfee Endpoint
Encryption for Files and Folders using ePO 4.5 and 4.6.
• Windows authentication based policy enforcement — Assigns encryption policies and
keys to Windows user accounts.
• Integration with the McAfee Tray icon - Consolidates the tray icons to one common
McAfee icon.
• User Personal Keys - Allow users to have individual keys, generated centrally and possible
to assign in policies for encryption.
• Protect data on Removable media — Provides support for removable media encryption.
• Migration from EEFF v3.x to EEFF v4 - Provides support for migrating keys from EEFF
v3.x to EEFF v4 by importing them into ePO.
• File Extension exclusion - Excludes the listed file types from encryption. For example,
MP3 and WAV files.
System requirements
System requirements
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide6
RequirementsSystems
See McAfee ePolicy Orchestrator 4.5 and 4.6 - Installation GuideePO Server Systems
Introducing McAfee Endpoint Encryption for Files and Folders
About this guide
Software requirements
RequirementsSoftware (or package name)
McAfee management software • ePO 4.5 (minimum patch 4) and 4.6
• McAfee Agent for Windows 4.5 (minimum Patch 2) and 4.6
Endpoint Encryption for Files and Folders • EEFF Extension
• EEFF_4.0.0_xxx.ZIP
• help_eeff_400.ZIP
• MfeEEFF_Client_4.0.0.x.ZIP
Redistributable” package ( for ePO)
Redistributable” package ( for ePO)
Operating system requirements
Client Systems • Microsoft Windows Vista (32-bit) SP 2
About this guide
This guide provides information on detailed instructions for managing the McAfee Endpoint
Encryption for Files and Folders 4.0 client.
Target audience
See McAfee ePolicy Orchestrator 4.5 and 4.6 - Installation GuideMicrosoft “Windows Installer 3.0
See McAfee ePolicy Orchestrator 4.5 and 4.6 - Installation GuideMicrosoft “.NET Framework 2.0
See McAfee ePolicy Orchestrator 4.5 and 4.6 - Installation GuideMicrosoft MSXML 6 ( for ePO)
SoftwareSystems
See McAfee ePolicy Orchestrator 4.5 and 4.6 - Installation GuideePO Server Systems
• Microsoft Windows XP (32-bit) SP 3
• Microsoft Windows 7 (32-bit and 64-bit) SP 0 and SP 1
This guide is mainly intended for McAfee Endpoint Encryption for Files and Folders users.
7McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Installing EEFF
This chapter describes how to install EEFF using McAfee ePolicy Orchestrator management
software version 4.5 and 4.6. To use this chapter effectively, you need to be familiar with ePO.
NOTE: This document does not provide detailed information about installing or using ePO. See
the McAfee ePolicy Orchestrator product documentation for more information.
Installing EEFF using ePO
The ePO server provides a scalable platform for centralized policy management and enforcement
of EEFF on the managed nodes. It also provides comprehensive reporting and product
deployment capabilities, all through a single point of control.
Tasks
Checking in the EEFF deployment package
Installing EEFF extension
Installing the ePO help extension
Registering an LDAP Server
Deploying EEFF on managed nodes using ePO 4.5
Deploying EEFF on managed systems using ePO 4.6
Checking in the EEFF deployment package
Use this task to check in the EEFF deployment package to the master repository.
Task
For option definitions, click ? in the interface.
1 Copy the MfeEEFF_Client_4.0.0.x archive to a temporary location of your ePO computer.
2 Log on to the ePO server as an administrator.
3 Click Menu | Software | Master Repository, then click Actions | Check In Package.
The Check In Package wizard appears.
4 In the Package page, select the Package type as Product or Update (.ZIP) and browse
in File path to locate MfeEEFF_Client_4.0.0.x saved in a temporary folder.
5 Click Next. The Package Options page appears with the package information.
6 Click Save.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide8
Installing EEFF
Installing EEFF using ePO
Installing EEFF extension
Use this task to install the EEFF extension. The extension file is in .ZIP format.
Task
For option definitions, click ? in the interface.
1 Copy the EEFF_4.0.0_xxx archive to a temporary location of your ePO computer.
2 Log on to the ePO server as an administrator.
3 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog
box appears.
4 Click Browse to locate the extension file EEFF_4.0.0_xxx, then click OK. The Install
Extension page appears with the extension name and version details.
5 Click OK.
Installing the ePO help extension
You can install the ePO help extension separately on the ePO 4.5 and 4.6 server using the
Software tab. The Help extension is a .ZIP file.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Software | Extensions | Install Extension. The Install Extension dialog
box appears.
3 Click Browse, then select the extension file help_eeff_400.ZIP, then click OK. The
Install Extension page appears with the extension name and version details.
4 Click OK.
Registering an LDAP Server
Use this option to register an LDAP Server such as Microsoft Active Directory (AD). You must
have a registered Active Directory to use Policy Assignment Rules, to enable dynamically assigned
permission sets, and automatic user account creation.
Before you begin
Make sure you have the appropriate rights to modify server settings, permission sets, users,
and registered servers.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Configuration | Registered Servers, then click New Server. The
Registered Server Builder wizard opens.
3 From the Server type drop-down list on the Description page, select LDAP Server, specify
a unique name (a user friendly name) and any details, then click Next. The Details page
appears.
9McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Installing EEFF
Installing EEFF using ePO
4 Type the Domain name or the Server name.
NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the
system is configured with appropriate DNS setting and can resolve the DNS-style domain
name of the Active Directory. The Server name is the name or IP address of the system
where the Windows Active Directory is present.
5 Type the User name and Password.
NOTE: The User name should be of the format: domain\Username of Active Directory
accounts.
6 Click Test Connection to ensure that the connection to the server works, then click Save.
Deploying EEFF on managed nodes using ePO 4.5
Use this task to deploy EEFF on the managed nodes. ePO allows you to create tasks to deploy
product on a single node, or on groups of the system tree.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Systems | System Tree | Client Tasks, select the required group in the
System Tree, then click Actions | New Task. The Client Task Builder wizard appears.
3 In the Description page, type a Name for the task, Notes (optional), select the Type as
Product Deployment, then click Next.
4 In the Configuration page, select Target Platforms as Windows, Products and
components as McAfee Endpoint Encryption for Files and Folders 4.0.0.0, Action
as Install. Select an appropriate Language, then click Next.
5 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
6 Review the summary of the task, then click Save. The task is added to the list of client
tasks for the selected group and any group that inherits the task.
7 Send an agent wake-up call.
Deploying EEFF on managed systems using ePO 4.6
Use this task to deploy EEFF to groups of managed systems in the System Tree.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Client Task Catalog , select McAfee Agent | Product
Deployment as Client Task Types, then click Actions | New Task . The New Task dialog
box appears.
2 Ensure that Product Deployment is selected, then click OK.
3 Type a name for the task you are creating and add any notes.
4 Select Target Platforms as Windows, Products and components as McAfee Endpoint
Encryption for Files and Folders 4.0.0.0, Action as Install. Select an appropriate
Language
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide10
Installing EEFF
Installing EEFF using ePO
5 Next to Options, select if you want to run this task for every policy enforcement process
(Windows only) and click Save.
6 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required
group in the System Tree.
7 Select the Preset filter as Product Deployment (McAfee Agent).
Each assigned client task per selected category appears in the details pane.
8 Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard
appears.
9 On the Select Task page, select Product as McAfee Agent and Task Type as Product
Deployment, then select the task you created for deploying product.
10 Next to Tags, select the desired option, then click Next:
• Send this task to all computers
• Send this task to only computers that have the following criteria — Use one
of the edit links to configure the criteria.
11 On the Schedule page, select whether the schedule is enabled, and specify the schedule
details, then click Next.
12 Review the summary, then click Save.
11McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Uninstalling EEFF
This chapter describes how to uninstall EEFF from managed nodes and ePO server.
Contents
Uninstalling EEFF from managed nodes
Uninstalling EEFF from managed nodes using ePO 4.6
Removing the EEFF extension
Removing EEFF deployment package
Uninstalling EEFF from managed nodes using command prompt
Uninstalling EEFF from managed nodes
Use this task to uninstall EEFF from managed nodes.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Systems | System Tree | Client Tasks, select the required group in the
System Tree, then click Actions | New Task. The Client Task Builder wizard appears.
3 In the Description page, type a Name for the task, Notes (optional), select the Type as
Product Deployment, then click Next.
4 In the Configuration page, select Target Platforms as Windows, Products and
components as McAfee Endpoint Encryption for Files and Folders 4.0.0.0, Action
as Remove. Select an appropriate Language, then click Next.
5 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
6 Review the summary of the task, then click Save.
7 Send an agent wake-up call.
Uninstalling EEFF from managed nodes using ePO
4.6
Use this task to unistall EEFF from managed systems in the System Tree.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide12
Uninstalling EEFF
Removing the EEFF extension
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Client Task Catalog , select McAfee Agent | Product
Deployment as Client Task Types, then click Actions | New Task . The New Task dialog
box appears.
2 Ensure that Product Deployment is selected, then click OK.
3 Type a name for the task you are creating and add any notes.
4 Select Target Platforms as Windows, Products and components as McAfee Endpoint
Encryption for Files and Folders 4.0.0.0, Action as Remove. Select an appropriate
Language
5 Next to Options, select if you want to run this task for every policy enforcement process
(Windows only) and click Save.
6 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required
group in the System Tree.
7 Select the Preset filter as Product Deployment (McAfee Agent).
Each assigned client task per selected category appears in the details pane.
8 Click Actions | New Client Task Assignment. The Client Task Assignment Builder wizard
appears.
9 On the Select Task page, select Product as McAfee Agent and Task Type as Product
Deployment, then select the task you created for uninstalling EEFF from managed nodes.
10 Next to Tags, select the desired option, then click Next:
• Send this task to all computers
• Send this task to only computers that have the following criteria — Use one
of the edit links to configure the criteria.
11 On the Schedule page, select whether the schedule is enabled, and specify the schedule
details, then click Next.
12 Review the summary, then click Save.
Removing the EEFF extension
Use this task to remove the EEFF extension from the ePO server.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Software | Extensions. The Extension page appears with the extension
name and version details.
3 Select the Endpoint Encryption for Files and Folders extension file, then click Remove.
The Remove extension confirmation page appears.
4 Select Force removal, bypassing any checks or errors to force product extension
removal, then click OK.
13McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Uninstalling EEFF
Removing EEFF deployment package
Removing EEFF deployment package
Use this task to remove the EEFF deployment package from the ePO.
Task
For option definitions, click ? in the interface.
1 Log on to the ePO server as an administrator.
2 Click Menu | Software | Master Repository. The Packages in Master Repository page
appears with the list of software packages and their details.
3 Click Delete next to EEFF package. The Delete package confirmation page appears.
4 Click OK on the Delete Package page.
Uninstalling EEFF from managed nodes using
command prompt
Use these tasks to uninstall EEFF from managed nodes using command prompt.
Uninstalling EEFF from managed nodes using Shell command
Use this task to uninstall EEFF from a managed node using MfeFfShell command.
Before you begin
You should have administrator rights to run this command on the managed node.
Task
For option definitions, click ? in the interface.
1 On the command prompt navigate to the folder where EEFF was installed.
NOTE: By default, EEFF is installed in
[SYSDRIVE]:\Program Files\McAfee\Endpoint Encryption for Files and Folders
2 Run the following command MfeFfShell.com-force_uninstall. You will be prompted to
restart the system after uninstallation.
Uninstalling EEFF from managed nodes using MSI
Use this task to uninstall EEFF from a managed node using MSI.
Before you begin
You should have administrator rights to run this command on the managed node.
Task
For option definitions, click ? in the interface.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide14
Uninstalling EEFF
Uninstalling EEFF from managed nodes using command prompt
1 On the command prompt navigate to the folder where EEFF was installed.
NOTE: By default, EEFF is installed in
[LOCAL APPDATA]\McAfee\Common Framework\Current/EEFF____4000\Install\0000
[LOCAL APPDATA] specifies:
• C:\Document and Settings\All Users in Windows XP and Windows 2003
• C:\ProgramData in Windows Vista, Windows 2008, and Windows 7
2 Run the following commands to uninstall EEFF. You will be prompted to restart the system
after uninstallation.
msiexec /q /norestart /I eeff[XX].msi
1
msiexec /q /x eeff[XX].msi
2
[XX] — 32 for 32-bit Operating System and 64 for 64-bit Operating System
15McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that
the managed security software products are configured and perform accordingly.
Some policy settings are the same as the settings you configure in the interface of the product
installed on the managed system. Other policy settings are the primary interface for configuring
the product or component. The ePO console allows you to configure policy settings for all
products and systems from a central location.
How policy enforcement is set
For each managed product or component, choose whether the agent enforces all or none of
its policy selections for that product or component.
From the Assigned Policies page, choose whether to enforce policies for products or components
on the selected group.
In the Policy Catalog page, you can view policy assignments, where they are applied, and if
they are enforced. You can also lock policy enforcement to prevent changes to enforcement
below the locked node.
Contents
EEFF Policies
Creating a policy from Policy Catalog
Editing the EEFF policy settings from Policy Catalog
Enforcing EEFF policies on a system
Enforcing EEFF policies on a system group
How Policy Assignment Rules work
EEFF Policies
Policy settings for EEFF are grouped by category. Each policy category refers to a specific subset
of policy settings. Policies are created and displayed by product and category.
Policy categories
General • Explorer Integration — Specifies the context menu options available to a
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide16
DescriptionCategory
user on the client system.
• Allow Explicit Encrypt — Enables the Encrypt option for client system
users. Default value is disabled.
• Allow Explicit Decrypt — Enables the Decrypt option for client system
users. Default value is disabled.
Configuring EEFF policies using ePO
EEFF Policies
DescriptionCategory
• Enable padlock icon visibility — Displays a padlock icon on encrypted
objects. Default value is enabled.
• Enable search encrypted – Enables Search encrypted option for client
system users. Default value is disabled.
• Allow creation of Self-Extractors – Enables users to manually create
encrypted Self-Extractors for files and folders. Self-Extractor are
password-protected executable files that can be decrypted on non-EEFF
client systems. Default value is enabled.
• Email Integration — Specifies the context menu options available to a user
on the client system.
• Enable sending of encrypted email attachments – Enables managed
node users to send encrypted email attachments, either for internal
recipients (SBA attachment) or for external recipients (Self-Extractor CAB
files). Default value is disabled.
Click Add to specify folder(s) to be encrypted.Folder Encryption
• Path — Specifies the path of the folder to be encrypted.
Specify the path of the folder by selecting from the list or typing it in the text
box.
• Key — Specifies the encryption key which will be assigned to the policy. Browse
to select the key.
Click Add to specify file extension(s) to be encrypted.File Encryption
• Process name — Specifies the process name of the application creating the
files to be encrypted.
• Extensions — Specifies the file extensions to be encrypted that are supported
by the process. Multiple file extensions can be specified using a space,
semi-colon, or colon as separators.
• Key — Specifies the encryption key which will be assigned to the policy. Browse
to select the key.
Removable Media • Encryption Method — Specifies methods used to encrypt a removable media.
• Use no removable media encryption — Does not encrypt files on
removable media. Default value is disabled.
NOTE: The context menu options on the client system will be enabled.
• Use regular encryption — Encrypts files and folders on removable media
with the specified key. Browse to select the key. Default value is disabled.
NOTE: The context menu options on the client system will be disabled if
Decrypt option is selected.
• Ignore existing content — Does not encrypt existing files on
removable media.
• Use McAfee Endpoint Encryption for Removable Media — Specifies
options to encrypt removable media.
• Protected area — Specifies the options to configure encrypted area
on a removable media
• Entire device — Encrypts the entire removable media.
• Percentage of total capacity — Encrypts a specified percentage
of the removable media. The remaining percentage of the device
can be used without authentication. Default value is 50%.
• Percentage of free space — Encrypts a specified percentage of
the free space on the removable media. Default value is 100%.
• Recovery Methods — Specifies methods used to recover the EERM
encrypted removable media.
17McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
EEFF Policies
DescriptionCategory
Use recovery key — Specifies the Regular or User Personal key
•
that can be used to recover the encrypted removable media.
• Allow recovery password — Enables user to specify a password
during initialization that can be used to recover the encrypted
removable media.
• Allows user questions — Enables user to specify five questions
during initialization that can be used to recover the encrypted
removable media. To recover the device, user must answer at least
four questions correctly.
• Allow user certification — Enables user to attach a Windows
certificate during initialization that can be used to recover the
encrypted removable media.
• Options — Specifies general encryption options for the removable
media
• Exclude devices larger than — Disables encryption of devices
whose size is larger than the specified value. Default value is 8192
MB.
• Make unprotected files and folders read-only (when used
with EEFF) — Does not allow user to modify unprotected files and
folders on the device when used on a system with EEFF client.
• Floppy Disk Drives — Specifies encryption options for floppy disk drives.
• Make floppy disk drives Read-Only — Does not allow user to modify
files and folders on floppy disk drives.
• Exempt device IDs — Does not update the specified devices with the
changes in encryption policies.
• Add — Adds the ID of the device that will not be updated with the
changes in encryption policies.
• Remove — Removes device ID from exemption list.
• Edit — Edits the ID of the device that will not be updated with the
changes in encryption policies.
CD/DVD Encryption • None Selected — Does not encrypt while burning files and folders to a CD or
Encryption Options • Encryption Options
DVD. User can encrypt or decrypt files or folders using the context menu on
the client system, if required.
• Enforce encryption on CD/DVD write operations — Encrypts files and
folders while burning it to a CD or DVD with the selected key. If Decrypt key
is selected, Encrypt and Decrypt options in the context menu is disabled on
the client system.
• Do not allow writing to CDs and DVDs (make CD/DVD read-only) —
Does not allow user to write any files or folders on CD or DVD.
• Preserve file times — Does not change the file modified and accessed
time on encryption or decryption.
• Require authentication for listing of encrypted folders — Blocks
unauthorized users from browsing encrypted folders.
If the key used to encrypt a folder is not assigned to the user, then the
user cannot view the content of that folder if EEFF is installed. If the key
is assigned to the user, then the user can view the content of folders
encrypted with that key.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide18
• Use wiping when encrypting and deleting files — Uses a secure delete
algorithm when encrypting files to ensure that no trace of the plaintext
data remains on the client system.
NOTE: File wiping may slow down encrypted file operations due to the
additional disk operations required.
Configuring EEFF policies using ePO
EEFF Policies
DescriptionCategory
• Enable limiting of the file size that will be encrypted — Encrypts
only if the file size is less than the specified limit. Default value is 20 MB.
NOTE: This is applicable only if the folder is encrypted using Folder
Encryption policy.
• I/O Utilization
• Maximum I/O utilization — Specifies the percentage of I/O usage EEFF
processes can utilize during encryption.
• Blocked Processes — Blocks the specified processes from opening or editing
encrypted files. EEFF blocks a process by withholding the keys required to
decrypt the files.
• Add — Adds the process using which the user can not open or edit
encrypted files.
• Remove — Removes the process using which the user can not open or
edit encrypted files.
• Edit — Edits the process using which the user can not open or edit
encrypted files.
• Key Request Exclusion — Enables the process such as anti-virus to exclude
encrypted files if it does not have access to the required encryption key.
NOTE: All the keys assigned to the user through policy are unloaded every time
the user logs off.
• Add — Adds the process that will be excluded.
• Remove — Removes the process from exclusion list.
• Edit — Edits the process that will be excluded.
• File Extension Exclusion — Excludes the specified file extension from
encryption.
• Add — Adds the file extension that will be excluded.
• Remove — Removes file extension from exclusion list.
• Edit — Edits file extension that will be excluded.
Grant Keys
(Multi-slot policy)
Network • Enable network encryption — Enables encryption of files on network
• Available Keys — Lists all the active keys, which includes regular, and user
personal keys.
• Selected Keys — Specifies the keys which the policy grants when assigned
to users.
locations.
• Enable network bandwidth limit — Limits the network bandwidth used by
EEFF when encrypting files on network locations. Default value is 50 KB/sec.
• Disable encryption on slow connections — Does not encrypt files on
network locations if the network latency is above the specified limit. Default
value is 500 milliseconds.
NOTE: This option is applicable only if the file is being encrypted through policy
enforcement.
• Maximum clients allowed to encrypt folders — Specifies the maximum
number of users who can simultaneously encrypt folders on a network.
NOTE: This option is applicable only if the file is being encrypted through policy
enforcement.
19McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
Creating a policy from Policy Catalog
DescriptionCategory
User Local Keys Options
Allow user local keys — Allows users to create local keys on a client system using
EEFF client. These user local keys can be shared among users using the Export
and Import options in EEFF client.
• Recovery Key — Specifies a Regular or a User Personal Key which can be
used to recover user local keys.
• Allow user local key generation — Allows users to create local keys on a
client system using EEFF client.
• Allow export of user local keys — Allows users to export local keys from a
client system using EEFF client.
• Allow import of user local keys — Allows users to import local keys to a
client system using EEFF client.
• Allow deletion of user local keys — Allows users to delete local keys from
a client system using EEFF client.
• Automatically create a user local key — Creates a default user local key
when a new user logs on to the client system.
Creating a policy from Policy Catalog
Use this task to create a new policy from the Policy Catalog. By default, policies created using
Policy Catalog are not assigned to any groups or systems. When you create a policy, you are
adding a custom policy to the Policy Catalog.
You can create policies before or after the EEFF software is deployed.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then select the Product as Endpoint Encryption
for Files and Folders 4.0.0.0 and a policy Category from the drop-down lists. All created
policies for the selected category appear in the details pane.
2 Click Actions | New Policy. The Create New Policy dialog box appears.
3 Select the policy you want to duplicate from the Create a policy based on this existing
policy drop-down list.
4 Type a name for the new policy and click OK. The Policy Settings wizard opens.
5 Edit the policy settings on each tab as needed.
6 Click Save.
Editing the EEFF policy settings from Policy Catalog
Use this task to modify the EEFF policy settings. Your user account must have appropriate
permissions to edit EEFF policy settings.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then select Endpoint Encryption for Files and
Folders from the Product drop-down list.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide20
Configuring EEFF policies using ePO
Assigning policies to a system or a system group
2 Select the policy Category from the drop-down list. All created policies for the selected
category appear in the details pane.
3 Locate the desired policy, then click Edit Settings next to it.
4 Edit the settings as needed, then click Save.
Assigning policies to a system or a system group
Use these tasks to assign a policy to a specific managed system or multiple managed systems
within a group.
Tasks
Assigning a policy to a managed node
Assigning a policy to a system group
Assigning a policy to a managed node
Use this task to assign a policy to a specific managed system. You can assign policies before
or after deploying Endpoint Encryption for Files and Folders software.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Systems, then select the desired group under
System Tree. All the systems within this group (but not its subgroups) appear in the details
pane.
2 Select the desired system, then click Actions | Agent | Modify Policies on a Single
System. The Policy Assignment page for that system appears.
3 Select Endpoint Encryption for Files and Folders 4.0.0 from the product drop-down
list. The policy categories under Endpoint Encryption for Files and Folders are listed with
the system’s assigned policy.
4 Locate the desired policy category, then click Edit Assignments.
5 If the policy is inherited, select Break inheritance and assign the policy and settings
below next to Inherit from.
6 Select the desired policy from the Assigned policy drop-down list.
NOTE: From this location, you can edit the selected policy, or create a new policy.
7 Choose whether to lock policy inheritance. Locking policy inheritance prevents any systems
that inherit this policy from having another one assigned in its place.
Assigning a policy to a system group
Use this task to assign a policy to multiple managed nodes within a group. You can assign
policies before or after Endpoint Encryption for Files and Folder is deployed.
Task
For option definitions, click ? in the interface.
21McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
Enforcing EEFF policies on a system
1 Click Menu | Systems | System Tree | Systems, then select the desired group in the
System Tree. All the systems within this group (but not its subgroups) appear in the details
pane.
2 Select the desired systems, then click Actions | Agent | Set Policy & Inheritance. The
Assign Policies page appears.
3 Select Endpoint Encryption for Files and Folders 4.0.0 from the product drop-down
list.
4 Select the Category, and Policy from the drop-down lists, then click Save.
Enforcing EEFF policies on a system
Use this task to enable or disable policy enforcement for EEFF on a system. Policy enforcement
is enabled by default, and is inherited in the System Tree.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Systems, then select the group under System
Tree where the system belongs. The list of systems belonging to this group appears in the
details pane.
2 Select the desired system, then click Actions | Agent | Modify Policies on a Single
System. The Policy Assignment page appears.
3 Select Endpoint Encryption for Files and Folders 4.0.0, then click Enforcing next to
Enforcement status. The Enforcement page appears.
4 If you want to change the enforcement status, select Break inheritance and assign the
policy and settings below.
5 Select Enforcing or Not enforcing accordingly as Enforcement status.
6 Click Save.
Enforcing EEFF policies on a system group
Use this task to enable or disable policy enforcement for a product on a System Tree group.
Policy enforcement is enabled by default, and is inherited in the System Tree.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Assigned Policies, then select the desired group
in the System Tree.
2 Select Endpoint Encryption for Files and Folders from the Product drop-down list,
then click Enforcing next to Enforcement Status. The Enforcement page appears.
3 To change the enforcement status, select Break inheritance and assign the policy
and settings below.
4 Select Enforcing or Not enforcing accordingly as Enforcement status.
5 Choose whether to lock policy inheritance. Locking inheritance for policy enforcement
prevents breaking enforcement for groups and systems that inherit this policy.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide22
Configuring EEFF policies using ePO
How Policy Assignment Rules work
6 Click Save.
How Policy Assignment Rules work
Policy assignment rules give you the ability to create user-specific policy assignments. These
assignments are enforced at the target system when a user logs on. On a managed system,
the agent keeps a record of the users who log on to the network. The policy assignments you
create for each user are pushed down to the system they log on to, and are cached during each
agent-server communication. The agent applies the policies that you have assigned to each
user.
NOTE: When a user logs on to a managed system for the first time, there can be a slight delay
while the agent contacts its assigned server for the policy assignments specific to this user.
During this time, the user has access only to that functionality allowed by the default machine
policy, which typically is your most secure policy.
Policy assignments rules reduce the overhead of managing numerous policies for individual
users, while maintaining more generic policies across your System Tree. For example, you can
create a policy assignment rule that is enforced for all users in your engineering group. You
can then create another policy assignment rule for members of your IT department so they can
log on to any computer in the engineering network with the access rights they need to
troubleshoot problems on a specific system in that network. This level of granularity in policy
assignment limits the instances of broken inheritance in the System Tree needed to accommodate
the policy settings that particular users require to perform special functions.
Policy assignment rule priority
Policy assignment rules can be prioritized to simplify maintenance of policy assignment
management. When you set priority to a rule, it is enforced before other assignments with a
lower priority. In some cases, the outcome can be that some rule settings are overridden.
For example, consider a user who is included in two policy assignment rules, rules A and B.
Rule A has priority level 1, and allows included users unrestricted access to internet content.
Rule B has priority level 2, and heavily restricts the same user's access to internet content. In
this scenario, rule A is enforced because it has higher priority. As a result, the user has
unrestricted access to internet content.
How multi-slot policies work with policy assignment rule priority
Priority of rules is not considered for multi-slot policies. When a single rule containing multi-slot
policies of the same product category is applied to a user, all settings of the multi-slot policies
are combined. Similarly, if multiple rules applied to a user contain multi-slot policy settings, all
settings from each multi-slot policy are combined. As a result, the user gets a policy that
combines the settings of each individual rule.
For example, consider the previous example where a user is included in two policy assignment
rules with different assigned priorities. When these rules consist of multi-slot policy assignments,
the settings for both policies are applied without regard to priority. You can prevent application
of combined settings from multi-slot policies across multiple policy assignment rules by excluding
a user (or other Active Directory objects such as a group or organizational unit) when creating
the policy assignment rule.
23McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
How Policy Assignment Rules work
Working with policy assignment rules
Use these tasks to configure and manage policy assignment rules. With these tasks you can
set up, create, and manage policy assignment rules in your network.
Tasks
Creating policy assignment rules
Managing policy assignment rules
Creating policy assignment rules
Use this task to create policy assignment rules. Policy assignment rules allow you to enforce
permissions and criteria based policies for individual users accessing your network.
NOTE: Policy assignment rules for EEFF user-based policy overrides the policy assigned to a
system through System Tree.
Before you begin
To complete this task you must:
• Have a registered LDAP server. For more information, see
• Set up Windows Authorization for your registered LDAP server. For more information, see
ePolicy Orchestrator Product Guide
.
Registering LDAP servers
.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Assignment Rules, then click Actions | New Assignment
Rule. The Policy Assignment Builder wizard opens with Details page.
2 Type the Name and Description, then click Next. The user Selection Criteria page opens.
3 Select the user by choosing the selection criteria, then click Next. The Assigned Policies
page opens.
4 Click Add. The Choose a policy to assign dialog appears.
NOTE: You can add more than one Grant Key policy. See
works
for details.
5 Select Endpoint Encryption for Files for Folders 4.0.0 from the Product drop-down
list.
6 Select the policy Category from the drop-down list.
7 Select the desired policy from the Policy drop-down list, then click OK. The Summary page
opens.
8 Click Save.
Managing policy assignment rules
How multiple instance policy
Use this table to perform common management tasks when working with policy assignment
rules. To perform these actions, click Menu | Policy | Policy Assignment Rules. Select the
action to perform from the Actions menu or the Actions column.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide24
Configuring EEFF policies using ePO
How multi-slot policies work
Do this...To do this...
assignment rule
Edit a policy
assignment rule
Export policy
assignment rules
Import policy
assignment rules
Edit the priority of a
policy assignment
rule
a policy assignment
rule
Click Delete in the selected assignment row.Delete a policy
Click Edit Settings for the selected assignment. The Policy Assignment Builder wizard opens.
Work through each page of this wizard to modify this policy assignment rule.
Click Export. The Download Policy Assignment Rules page opens, where you can view or
download the PolicyAssignmentRules.xml file.
Click Import. The Import Policy Assignment Rules dialog box opens, from which you can
browse to a previously downloaded PolicyAssignmentRules.xml file. You are prompted to choose
which rules included in the file to import. You can select which rules to import and, if any rules
in the file have the same name as those already in your Policy Assignment Rules list, you can
select which to retain.
Click Edit Priority. The Policy Assignment Rule | Edit Priority page opens, where you change
the priority of policy assignment rules using the drag-and-drop handle.
Click > in the selected assignment row.View the summary of
How multi-slot policies work
Multi-slot policies are used when a policy setting needs to be shared among users or system
groups. Grant Key policy is a multi-slot policy. An ePO administrator can add multiple grant key
policies to users or system groups restricting the assignment of keys to authorized users only.
The policy instances are automatically combined into one effective policy.
Multi-slot policies obey the ePolicy Orchestrator laws of inheritance within a System Tree (see
ePolicy Orchestrator Product Guide
for more details).
Tasks
Assigning multiple instances of Grant Key policy through System Tree
Assigning multiple instances of Grant Key policy to user(s) using ePO 4.5
Viewing effective policy assigned to systems
Viewing effective policy assigned to users
Assigning multiple instances of Grant Key policy through System
Tree
Use this task to assign multiple instances of Grant Key policy to a system.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Assigned Policies, then select the Product as
Endpoint Encryption for Files and Folders 4.0.0. Each assigned policy per category
appears in the details pane.
2 Locate the Grant Key policy category, then click Edit Assignment. The Policy Assignment
page appears.
3 Click New Policy Instance. The new policy instance Policy 2 is added in the Policy
Assignment page
25McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
How multi-slot policies work
4 If the policy is inherited, select Break inheritance and assign the policy and settings
below next to Inherited from.
5 Select the desired Grant Key policy from the Assigned policy drop-down list.
NOTE: From this location, you can also edit the selected policy’s settings, or create a new
policy.
6 Choose whether to lock policy inheritance. Locking policy inheritance prevents any systems
that inherit this policy from having another one assigned in its place.
7 Click Save.
Assigning Grant key policy through policy assignment rule
Use these tasks to assign multiple instances of Grant Key policy to a user or a system through
Policy Assignment Rules.
Assigning multiple instances of Grant Key policy to system(s) using ePO 4.6
Assigning multiple instances of Grant Key policy to user(s) using ePO 4.5
Assigning multiple instances of Grant Key policy to user(s) using ePO 4.6
Assigning multiple instances of Grant Key policy to system(s) using ePO
4.6
You can assign policies to system based on the tags you have applied using ePO 4.6. Use this
task to assign multiple instances of Grant Key policy to system(s) based on the tags applied to
them.
NOTE: When assigning Grant key policy using ePO 4.6, policy assigned to a system (based on
the tags you have applied) through policy assignment rule does not merge with Grant key policy
assigned through system tree.
Before you begin
To complete this task you must:
• Have a registered LDAP server. For more information, see
• Set up Windows Authorization for your registered LDAP server. For more information, see
ePolicy Orchestrator Product Guide
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Assignment Rules, then click Actions | New Assignment
Rule. The Policy Assignment Builder wizard opens with Details page.
2 Type the Name and Description.
3 Select the Rule Type as System Based, then click Next. The Assigned Policies page
opens.
4 Click Add Policy to select the policies that you want to be enforced by this policy assignment
rule.
5 Select Endpoint Encryption for Files for Folders 4.0.0 from the Product drop-down
list.
6 Select Grant Keys from the Category drop-down list.
.
Registering LDAP servers
.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide26
Configuring EEFF policies using ePO
How multi-slot policies work
7 Select the desired policy from the Policy drop-down list, then click OK.
8 Click Next. The Selection Criteria page opens.
9 Select the systems by choosing the selection criteria, then click Next. The Summary page
opens.
10 Click Save.
Assigning multiple instances of Grant Key policy to user(s) using ePO 4.5
Use this task to assign multiple instances of Grant Key policy to user(s).
NOTE: Grant key policy assigned to a user through policy assignment rule will merge with the
grant key policy assigned to the system through System Tree.
Before you begin
To complete this task you must:
• Have a registered LDAP server. For more information, see
• Set up Windows Authorization for your registered LDAP server. For more information, see
ePolicy Orchestrator Product Guide
.
Registering LDAP servers
.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Assignment Rules, then click Actions | New Assignment
Rule. The Policy Assignment Builder wizard opens with Details page.
2 Type the Name and Description, then click Next. The User Selection Criteria page opens.
3 Select the user by choosing the selection criteria, then click Next. The Assigned Policies
page opens.
4 Click Add. The Choose a policy to assign dialog appears.
5 Select Endpoint Encryption for Files for Folders 4.0.0 from the Product drop-down
list.
6 Select Grant Keys from the Category drop-down list.
7 Select the desired policy from the Policy drop-down list, then click OK. The Summary page
opens.
8 Repeat
9 Click Save.
Step 4
through
Step 7
to assign another Grant Key policy to same user(s).
Assigning multiple instances of Grant Key policy to user(s) using ePO 4.6
Use this task to assign multiple instances of Grant Key policy to user(s) based on the tags
applied to them.
NOTE: Grant key policy assigned to a user through policy assignment rule will merge with the
grant key policy assigned to the system through System Tree.
Before you begin
To complete this task you must:
• Have a registered LDAP server. For more information, see
Registering LDAP servers
.
27McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Configuring EEFF policies using ePO
How multi-slot policies work
• Set up Windows Authorization for your registered LDAP server. For more information, see
ePolicy Orchestrator Product Guide
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Assignment Rules, then click Actions | New Assignment
Rule. The Policy Assignment Builder wizard opens with Details page.
2 Type the Name and Description.
3 Select the Rule Type as User Based, then click Next. The Assigned Policies page opens.
4 Click Add Policy to select the policies that you want to be enforced by this policy assignment
rule.
5 Select Endpoint Encryption for Files for Folders 4.0.0 from the Product drop-down
list.
6 Select Grant Keys from the Category drop-down list.
7 Select the desired policy from the Policy drop-down list, then click OK.
8 Click Next. The Selection Criteria page opens.
9 Select the users by choosing the selection criteria, then click Next. The Summary page
opens.
10 Click Save.
.
Viewing effective policy assigned to systems
Use this task to view keys available to the system and the policies to which they are associated.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Assigned Policies, then select the Product as
Endpoint Encryption for Files and Folders 4.0.0.0. Each assigned policy per category
appears in the details pane.
2 Locate the Grant Key policy category, then click View Effective Policy. The View Effective
Grant Keys Policy page appears with the list of keys available to the system and the policies
to which they are associated.
Viewing effective policy assigned to users
Use this task to view keys available to the user and the policies to which they are associated.
Task
For option definitions, click ? in the interface.
1 Click Menu | Systems | System Tree | Systems, then select the required system.
2 Click Actions | Direct Management | View Effective Policy (by user). The Policy
Assignment page appears.
3 Select the Product as Endpoint Encryption for Files and Folders 4.0.0, then click
Select User next to Effective Policy for User. The Select User window appears.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide28
Configuring EEFF policies using ePO
How multi-slot policies work
4 Select the required user, then click OK. The policies assigned for the selected user appears
in the details pane.
5 Locate the Grant Key policy category, then click View Effective Policy. The View Effective
Grant Keys Policy page appears with the list of keys available to the user and the policies
to which they are associated.
29McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Managing EEFF keys
EEFF uses encryption keys to protect files and folders on networks, removable media, CD or
DVD, and user hard disks. Encryption keys are generated and stored in an ePO internal encryption
key repository within the ePO environment. Encryption keys are managed through ePO.
The EEFF client requests a key when a user accesses an encrypted file or a folder. If a policy
is assigned to the user with the requested encryption key, EEFF decrypts the data.
The administrator can create and manage encryption keys from ePO under the EEFF keys tab.
These keys are assigned to policies that are later assigned to users or systems. All the keys
assigned through the policy will be loaded at every logon and unloaded every time user logs
off.
EEFF supports three types of keys that include regular keys, user personal keys, and user local
keys.
Regular keys are created by ePO administrators and can be used in any policy.
User personal keys are generated in ePO when a key is granted to a user through Grant Key
policy. These policies when assigned to a user, enables the user to use the key across all the
client systems in the same domain.
User Local keys are created using EEFF client software on a client system. These keys can be
used by the user to encrypt or decrypt data on the same network using the context menu. Local
keys are limited to the user and client system on which it was created.
Contents
Creating a regular key
Activating or deactivating keys
Assigning keys to a policy
Editing a key
Deleting keys
Exporting keys
Importing keys
How user personal keys work
Creating a regular key
Use this task to create a new encryption key.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide30
Managing EEFF keys
Activating or deactivating keys
2 Click Actions | Create New Key. The Create a New Key dialog box appears.
3 Type a name and description for the key.
4 Select Never expire key or an expiration date as required.
5 Click OK.
Activating or deactivating keys
Use this task to activate or deactivate a key. When a key is deactivated, it will be removed from
all the client systems during the next policy update.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Select the key(s) to activate, then click Actions | Activate Key(s).
To deactivate key(s), select the key(s), then click Actions | Deactivate Key(s). On the
Deactivate Key(s) dialog box, click OK.
Assigning keys to a policy
Encryption keys are assigned to users or systems through Grant Key policy. Grant Keys policy
is a multiple instance policy. See
Use this task to assign keys to a Grant Key policy.
NOTE: You can assign only active keys to a Grant Key policy.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then select the Product as Endpoint Encryption
for Files and Folders 4.0.0.0 and Category as Grant Keys (UBP) from the drop-down
lists. All the Grant Keys policies appear in the details pane.
2 Click Edit Settings next to the required Grant Key policy. The selected Grant Key policy
page appears with the list of active keys in the Available Keys pane.
3 Select and the move the required keys to Selected Keys pane.
4 Click Save and send an agent wake-up call.
How multiple-instance policies work
Editing a key
Use this task to edit an existing encryption key.
for more information.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Select the key to edit, then click Actions | Edit key. The Edit Key dialog box appears.
31McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Managing EEFF keys
Deleting keys
3 Edit the name, description, and expiry date of the key.
4 Click OK.
Deleting keys
Use this task to delete a key. EEFF does not allow you to delete an active key. Refer
or deactivating keys
CAUTION: All files encrypted with the deleted key will be inaccessible. Files can still remain
encrypted on the client systems or removable media even if a key has been removed from all
policies. Files encrypted with a deleted key cannot be recovered.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Select the key(s) to delete, then click Actions | Delete Key(s). The Delete Key(s) key
dialog box appears.
3 Click OK.
Exporting keys
Use this task to export keys. The keys will be exported to a password protected .bin file.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Select the key(s) to export, then click Actions | Export Key(s). The Export Key(s) dialog
box appears.
3 Type and confirm a password that will be used to protect the exported file, then click OK.
The Export Keys for EEFF page appears.
4 Click on the .bin file and save it to the required location.
5 Click Close.
Activating
for instructions on deactivating a key.
Importing keys
Use this task to import keys.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Click Actions | Import Keys. The Import Keys page appears.
3 Browse to select the .bin or .xml file, then type the password if prompted.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide32
Managing EEFF keys
How user personal keys work
4 Click Import Keys.
How user personal keys work
User personal key gives you ability to create user-specific encryption keys. These keys are
created at the ePO server when the user logs on to the client system for the first time after the
policy is enforced. User personal keys are assigned to Grant key policy as a single key, but
creates individual user personal keys when assigned. If the policy is assigned at the system
level, users using that system will have individual user personal keys. When assigned at user
level, these keys can be used on any system within the same domain.
The user personal key is enabled and assigned to Grant Key policy using ePO. The Grant key
policy can be assigned to specific users using Policy Assignment Rules and specific system or
system group using Assigned Policies page. Enforcing the Grant key policy on the managed
node creates a user personal key at the first log on of the user. User personal keys can be used
as recovery key for user local keys and EERM.
Best Practice
Assigning a user personal key as a recovery key for EERM, the administrator can ensure that
the removable media can be recovered only by the assigned user on any system in the same
domain.
Working with user personal keys
Use these tasks to create and recover user personal keys.
Tasks
Assigning a user personal key
Recovering user personal keys
Assigning a user personal key
Use this task to create a user personal key.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Click Edit next to User Personal Keys. The Configure User Personal Keys page appears.
3 Select Enable User Personal Keys, then click Save.
4 Click Menu | Policy | Policy Catalog, then select Endpoint Encryption for Files and
Folders from the Product drop-down list.
5 Select Grant Keys (UBP) as policy Category, then click Edit Settings next to the
required policy.
6 Select and move the User Personal Key to Selected Keys table, then click Save.
7 Click Menu | Policy | Policy Assignment Rules, then click New Assignment Rule.
The Policy Assignment Builder wizard appears.
8 Type the Name and Description, then click Next. The user Selection Criteria page opens.
33McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Managing EEFF keys
How user personal keys work
9 Select the user by choosing the selection criteria, then click Next. The Assigned Policies
page opens.
10 Click Add. The Choose a policy to assign dialog appears.
11 Select Endpoint Encryption for Files for Folders 4.0.0 as Product and Grant Keys
as Category.
12 Select the desired policy from the Policy drop-down list, then click OK. The Summary page
opens.
13 Click Save.
After assigning the Grant Key policy to the user, a user personal key is generated when the
user logs into the client system.
Recovering user personal keys
Use this task to recover a user personal key. Displaying the user personal keys as regular keys
enables administrator to recover files encrypted with a user key belonging to another user.
Task
For option definitions, click ? in the interface.
1 Click Menu | Data Protection | EEFF keys. The EEFF Key Management page appears.
2 Select the required user personal key, then click Actions | Edit Key. The Edit key dialog
box appears.
3 Select Display as regular, then click OK.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide34
Managing EEFF Reports
The ePO server ships with its own querying and reporting capabilities. These are highly
customizable, flexible and easy to use.
EEFF queries are configurable objects that retrieve and display data from the database. These
queries can be displayed in charts and tables. Any query results can be exported to a variety
of formats, any of which can be downloaded or sent as an attachment to an email message.
Most queries can be used as dashboard monitors.
Query results are actionable
Query results are now actionable. Query results displayed in tables (and drill-down tables) have
a variety of actions available for selected items in the table. For example, you can deploy agents
to systems in a table of query results. Actions are available at the bottom of the results page.
Queries as dashboard monitors
Most queries can be used as a dashboard monitor (except those using a table to display the
initial results). Dashboard monitors are refreshed automatically on a user-configured interval
(five minutes by default).
Exported results
Query results can be exported to four different formats. Exported results are historical data and
are not refreshed like other monitors when used as dashboard monitors. Like query results and
query-based monitors displayed in the console, you can drill down into the HTML exports for
more detailed information.
Unlike query results in the console, data in exported reports is not actionable.
Reports are available in several formats:
• CSV — Use the data in a spreadsheet application (for example, Microsoft Excel).
• XML — Transform the data for other purposes.
• HTML — View the exported results as a web page.
• PDF — Print the results.
Contents
Creating EEFF custom queries
Viewing the standard EEFF queries
Creating EEFF custom queries
Use this option to create EEFF custom queries with the Query Builder wizard.
35McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Managing EEFF Reports
Viewing the standard EEFF queries
Task
For option definitions, click ? in the interface.
1 Click Menu | Reporting | Queries, then click Actions | New Query. The Query
Builder wizard opens.
2 On the Result Type page, select Others from the Feature Group pane and Endpoint
Encryption Result Type for the query, then click Next. The Chart page appears.
NOTE: This choice determines the options available on subsequent pages of the wizard.
3 Select the type of chart or table to display the primary results of the query, then click Next.
The Columns page appears.
NOTE: If you select Boolean Pie Chart, you must configure the criteria to include in the
query.
4 Select the columns to be included in the query, then click Next. The Filter page appears.
NOTE: If you selected Table on the Chart page, the columns you select here are the
columns of that table. Otherwise, these are the columns that make up the query details
table.
5 Select properties to narrow the search results, then click Run. The Unsaved Query page
displays the results of the query, which is actionable, so you can take any available actions
on items in any tables or drill-down tables.
NOTE: Selected properties appear in the content pane with operators that can specify
criteria used to narrow the data that is returned for that property.
• If the query didn’t appear to return the expected results, click Edit Query to go back
to the Query Builder and edit the details of this query.
• If you don’t need to save the query, click Close.
• If this is a query you want to use again, click Save and continue to the next step.
6 The Save Query page appears. Type a name for the query, add any notes, and select
one of the following:
• New Group — Type the new group name and select either:
• Private group (My Groups)
• Public group (Shared Groups)
• Existing Group — Select the group from the list of Shared Groups.
7 Click Save.
Viewing the standard EEFF queries
Use this option to run and view the standard EEFF report from the Queries page.
Task
For option definitions, click ? in the interface.
1 Click Menu | Reporting | Queries. The Queries page opens.
2 Select EEFF Queries from Shared Groups in Groups pane, The standard EEFF query
list appears.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide36
Managing EEFF Reports
Viewing the standard EEFF queries
DescriptionQuery
Displays the number of active and inactive keys.EEFF Active Keys
EEFF Key Usage
Displays the available keys, their policy category, and the
policy in which they are used.
3 Select a query from the Queries list.
4 Click Actions | Run. The query results appear. Drill down into the report and take actions
on items as necessary. Available actions depend on the permissions of the user.
NOTE: The user has an option to edit the query and to view the details of the query.
5 Click Close when finished.
37McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Defining EEFF permission sets for ePO users
In ePO, administrator rights management determines what ePO users can perform while
administering EEFF.
A permission set is a group of permissions that can be granted to users or Active Directory (AD)
groups by assigning it to those users’ accounts. One or more permission sets can be assigned
to users who are not global administrators (global administrators have all permissions to all
products and features).
User accounts and their associated permission sets in ePolicy Orchestrator define the tasks that
the users can perform. This allows you to restrict specific users or groups from misusing EEFF
features.
Contents
Creating permission sets for user accounts
Editing EEFF Policy Permissions
Editing EEFF Key Server permissions
Creating permission sets for user accounts
Use this task to create a permission set. Only global administrators can create permission sets.
Task
For option definitions, click ? in the interface.
1 Click Menu | User Management | Permission Sets | New Permission Set. The New
Permission Set page appears.
2 Type a permission set name in the Name field.
3 Select the Active Directory groups mapped to this permission set. To add a new
Active Directory group, click Add, browse to the group then click OK.
4 Select the Server name, then click Save. The new permission set page appears.
Editing EEFF Policy Permissions
Use this task to define permissions for configuring EEFF policy settings.
Task
For option definitions, click ? in the interface.
1 Click Menu | User Management | Permission Sets | New Permission Set. The New
Permission Set page appears.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide38
Defining EEFF permission sets for ePO users
Editing EEFF Key Server permissions
2 Click Edit next to EEFF Policy Permissions. The Edit Permission Set page appears.
3 Set appropriate permissions to the user and click Save.
Editing EEFF Key Server permissions
Use this task to define permissions for creating and managing EEFF keys.
Task
For option definitions, click ? in the interface.
1 Click Menu | User Management | Permission Sets | New Permission Set. The New
Permission Set page appears.
2 Click Edit next to EEFF Key Server. The Edit Permission Set page appears.
3 Set appropriate permissions to the user and click Save.
39McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Appendix A: Removable Media registry controls
EEFF defines the term removable media as a drive with the exception of boot drive and remote
drives. This may be a concern for client systems having built-in extra drives, for example an
extra hard drive with a ZIP drive. These drives will be subject to removable media encryption.
Relaxing the Removable Media definition
EEFF allows you to relax the removable media definition by applying it to USB drives and FireWire
drives, or, drives that report themselves as removable to the Operating System. Relaxing the
removable media definition is done by adding a registry value on the client computer.
Task
1 On the client system, create a DWORD registry value in
HKLM\System\CurrentControlSet\Services\MfeEEFF called
RelaxedRemovableMediaDefinition.
2 Set the registry value as required.
• "0": Default definition (same as not having this registry value)
• "1": Only disks reported as 'Removable' or located on the USB or IEEE 1394 (FireWire)
port
• "2": Only disks reported as 'Removable'
Restart the system to save the changes.
Exempt local drives and network shares from
encryption
You can exclude local drives and network drives from encryption by adding a registry value on
the client. Setting this registry value makes the EEFF driver not attach to local and network
drives, but only to removable media drives and CD/DVD drives.
Task
1 On the client system, create a DWORD value in HKLM\System\CCS\Service\MfeEEFF
called ExemptNonRemovable and set its value to 1.
Restart the system to save the changes.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide40
Appendix A: Removable Media registry controls
Exempt local drives and network shares from encryption
To verify if the changes are saved, right-click a file on the local drive and select Encrypt… |
Allow explicit encrypt. It fails to encrypt the file on the local drive, but encrypts the same
file on a removable drive.
NOTE:
• This registry value must be manually set on each client system. It can also be remotely
distributed with a systems management tool.
• When enabled, it will not be possible to read (decrypt) any existing encrypted files on local
drives or network shares.
41McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Appendix B: Best Practices
This section provides some recommendations for large scale deployments of EEFF.
NOTE: Consult your Endpoint Encryption representative if you have special considerations for
your environment. The definition of a large-scale installation is any deployment with 1000 users
and above.
Key caching
Try to make use of the encryption key caching feature. This might not be possible due to security
reasons. However, considering this option for any encryption key created will help reduce the
communication payload on the McAfee Agent to ePO.
Tune encryption intensity for network
When encrypting large folders on a network share through a policy, it is recommended to tune
the network encryption intensity.
Configure these values to tune the network encryption intensity:
• I/O Utilization: 30% (Set in Encryption options policy)
• Bandwidth limit: 100 KB/sec. (Set in Network policy)
• Network latency: 600 ms. (Set in Network policy)
• Maximum number of clients to encrypt folders: 10
You can limit the size of the files to be encrypted (Set in the Encryption options policy).
Explicitly encrypt large shares in advance
Use a manual (explicit) encryption method for large network folder(s) encryption, rather than
encrypting them through a folder encryption policy.
Initiate the encryption from a single machine, after logging on with an appropriate EEFF user,
then let the encryption run (maybe overnight).
The reason is to avoid extreme payload on the file server(s) from many clients seeking to
enumerate, fetch, encrypt, and upload files to/from the server(s). This reduces the risk of
network failure and file server payload overflow is minimized.
Exclude EEFF client program directory
Irrespective of the anti-virus solution used on the clients, it is recommended to exclude the
EEFF program directory from real-time anti-virus scanning.
By default, the EEFF program directory is [SYSDRIVE]\Program Files\McAfee\Endpoint
Encryption for Files&Folders.
Typically, most anti-virus solutions can be policy controlled to exclude certain directories from
real-time scanning. Consult the operating manuals for your anti-virus solution for further details.
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide42
Index
A
assign policy
grant key 31
C
checking in software packages 8
client task
update packages 10
create
regular key 30
D
deployment
installing products 10
upgrading agents 10
E
EEFF 5, 30
client 5
encryption keys 30
Endpoint Encryption for Files and Folders 5
enforcement (See policy enforcement) 22
ePO Help extension 9
ePO server 9
extension 9
G
Grant Key
multi-slot policy 25, 26, 27
groups
policy enforcement for a product 22
H
host 10
K
keys
activate 31
assign policy 31
deactivate 31
deleting 32
editing 31
exporting 32
importing 32
regular 30
user local 30
user personal 30
L
LDAP servers, registering 9
M
managed systems
policy management on 16
master repositories
checking in packages 8
multi-slot policy
Grant Key 25
multiple instance policy
assigning to system 25, 26
assigning to user 27
P
Permission sets 38, 39
EEFF key management 39
EEFF policy 38
Persistent Encryption 5
policies
about 16
categories 16
controlling on Policy Catalog page 20
viewing 16
Policies
multi-slot 25
policy assignment
systems, assigning to 21
Policy Assignment Rules
about 23
create 24
edit priority 24
editing and deleting 24
exporting and importing 24
multi-slot policy 23
priority 23
view summary 24
Policy Catalog
page, viewing 16
policy enforcement
enabling and disabling 22
for a product 22
product installation
configuring deployment tasks 10
Q
queries
custom, creating 35
view result 36
Query Builder wizard
creating custom queries 35
R
registered servers
LDAP servers, adding 9
requirements, operating system 6
43McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
Index
requirements, software 6
requirements, system 6
S
servers
LDAP servers, registering 9
software 9
systems
assigning policies to 21
policy enforcement for a product 22
U
Uninstall
deployment package 14
from ePO 13
Uninstall
updates
User personal keys
(continued)
from managed nodes 12
PC client 10
about 33
best practices 33
create 33
enable 33
grant key 33
recover 34
V
View Effective policy
system 28
user 28
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide44
Loading...